← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1302106] Re: LDAP non-URL safe characters cause auth failure

 

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

** Changed in: keystone/havana
   Importance: Undecided => High

** Changed in: keystone/havana
       Status: New => In Progress

** Changed in: keystone/havana
     Assignee: (unassigned) => Dolph Mathews (dolph)

** Tags removed: havana-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1302106

Title:
  LDAP non-URL safe characters cause auth failure

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  In Progress

Bug description:
  An Openstack user attempting to integrate Keystone with AD has
  reported that when his user contains a comma (full name CN='Doe,
  John'), a 'Bad search filter' error is thrown. If the full name CN is
  instead 'John Doe', authorization succeeds.

  dpkg -l |grep keystone
  ii  keystone                             1:2013.2.2-0ubuntu1~cloud0                          OpenStack identity service - Daemons
  ii  python-keystone                      1:2013.2.2-0ubuntu1~cloud0                          OpenStack identity service - Python library
  ii  python-keystoneclient                1:0.3.2-0ubuntu1~cloud0                             Client library for OpenStack Identity API

  Relevant error message:
  Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)

  Relevant stack trace:
  2014-03-31 15:44:27.459 3018 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 94, in authenticate
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     context, auth)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 272, in _authenticate_local
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     user_id, tenant_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 369, in _get_project_roles_and_ref
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     user_id, tenant_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 475, in get_roles_for_user_and_project
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     user_id, tenant_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 160, in get_roles_for_user_and_project
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     group_role_list = _get_group_project_roles(user_id, project_ref)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 111, in _get_group_project_roles
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     group_refs = self.identity_api.list_groups_for_user(user_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 177, in wrapper
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 425, in list_groups_for_user
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     group_list = driver.list_groups_for_user(user_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 154, in list_groups_for_user
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     return self.group.list_user_groups(user_dn)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 334, in list_user_groups
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     memberships = self.get_all(query)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 388, in get_all
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     for x in self._ldap_get_all(filter)]
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 364, in _ldap_get_all
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     self.attribute_mapping.values())
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in search_s
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     res = self.conn.search_s(dn, scope, query, attrlist)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 495, in search_ext_s
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 491, in search_ext
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     timeout,sizelimit,
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1302106/+subscriptions


References