← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #16208

[Bug 1329891] [NEW] Keystone Not Able to Add Users to AD/Ldap and OpenLdap

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I tried to add uses to AD/Ldap through keystone with the following curl command -
curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "test7", "password": "Devtest123"}}' http://localhost:35357/v3/users

Keystone showed the following stack trace -
 __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713
2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:773
('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), ('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:793
2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779
2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = method(context, **params)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, context, *args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = self.identity_api.create_user(ref['id'], ref)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = f(*args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = driver.create_user(user_id, user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     user_ref = self.user.create(user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     values = super(UserApi, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return super(EnabledEmuMixIn, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     conn.add_s(self._id_to_dn(values['id']), attrs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return self.conn.add_s(dn_utf8, ldap_attrs_utf8)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return self.result(msgid,all=1,timeout=self.timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi 
2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392

And the similar error happens when adding users to OpenLdap.

Here is what I found out -
AD/Ldap: There are 2 issues cause this bug.
    1.  in core.create(self, values), the param 'values' passes the following like what I have from my above debug message
         ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
         this is the list of attributes pass to the AD, except the 'id' attribute as it will be stripped in the method. And what the AD does not like is the 'enabled' attribute. Stripping it out is 1 of the two fixes.
    2.  in the end of core.create(self, values), there is a call as the following -
        conn.add_s(self._id_to_dn(values['id']), attrs)
        self._id_to_dn(values['id']) will return the following -
        cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain
        Somehow this cn got replaced with the 'id' instead of the actual user's name which is 'test7' and causes the second issue. And it looks like AD expects the cn is the same value of the attritube 'name' in Point 1.

OpenLdap: 
    it has the same issue of Point 1 like AD/Ldap, but it has no issue with Point 2.

Summary:
    Stripping out the attribute 'enabled' and make the cn=<attrubute name> will fix the issue.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329891

Title:
  Keystone Not Able to Add Users to AD/Ldap and OpenLdap

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I tried to add uses to AD/Ldap through keystone with the following curl command -
  curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "test7", "password": "Devtest123"}}' http://localhost:35357/v3/users

  Keystone showed the following stack trace -
   __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713
  2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:773
  ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
  2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), ('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:793
  2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779
  2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'}
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, context, *args, **kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in create_user
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = self.identity_api.create_user(ref['id'], ref)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = f(*args, **kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in create_user
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = driver.create_user(user_id, user)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in create_user
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     user_ref = self.user.create(user)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in create
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     values = super(UserApi, self).create(values)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return super(EnabledEmuMixIn, self).create(values)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     conn.add_s(self._id_to_dn(values['id']), attrs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return self.conn.add_s(dn_utf8, ldap_attrs_utf8)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return self.result(msgid,all=1,timeout=self.timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'}
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi 
  2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392

  And the similar error happens when adding users to OpenLdap.

  Here is what I found out -
  AD/Ldap: There are 2 issues cause this bug.
      1.  in core.create(self, values), the param 'values' passes the following like what I have from my above debug message
           ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
           this is the list of attributes pass to the AD, except the 'id' attribute as it will be stripped in the method. And what the AD does not like is the 'enabled' attribute. Stripping it out is 1 of the two fixes.
      2.  in the end of core.create(self, values), there is a call as the following -
          conn.add_s(self._id_to_dn(values['id']), attrs)
          self._id_to_dn(values['id']) will return the following -
          cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain
          Somehow this cn got replaced with the 'id' instead of the actual user's name which is 'test7' and causes the second issue. And it looks like AD expects the cn is the same value of the attritube 'name' in Point 1.

  OpenLdap: 
      it has the same issue of Point 1 like AD/Ldap, but it has no issue with Point 2.

  Summary:
      Stripping out the attribute 'enabled' and make the cn=<attrubute name> will fix the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329891/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next