yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1233365] Re: LDAP backend fails when connecting to Active Directory root DN

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1233365@xxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jul 2014 17:39:39 -0000
Reply-to: Bug 1233365 <1233365@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

** Tags removed: activedirectory havana-backport-potential
** Tags added: ldap

** Changed in: keystone/havana
       Status: New => In Progress

** Changed in: keystone/havana
     Assignee: (unassigned) => Adam Young (ayoung)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1233365

Title:
  LDAP backend fails when connecting to Active Directory root DN

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  In Progress

Bug description:
  When using the LDAP backend and connecting to Active Directory, trying
  to use the root DN (dc=example,dc=com) as the user_tree_dn (or
  tenant/role_tree_dn) fails with "Authorization Failed: Unable to
  communicate with identity service: {"error": {"message": "An
  unexpected error prevented the server from fulfilling your request.
  {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to
  perform this operation a successful bind must be completed on the
  connection., data 0, v1db1', 'desc': 'Operations error'}", "code":
  500, "title": "Internal Server Error"}}. (HTTP 500)".

  This is because python-ldap chases all referrals with anonymous
  access, which is disabled by default in AD for security reasons.
  Adding a line in core.py under ldap.initialize to not chase referrals
  (self.conn.set_option(ldap.OPT_REFERRALS, 0)) gets around this error,
  but then we get "AttributeError: 'list' object has no attribute
  'iteritems'" in search_s. This is because while the referrals aren't
  chased, they still show up in the results list. The keystone code
  can't seem to handle the format the referrals come in. I was able to
  work around this by adding an if statement before o.append to ignore
  the referral results (if type(dn) is not NoneType). I also added "from
  types import *" in the beginning of core.py.

  I'm sure this isn't the best workaround for everybody, but in general
  I think there should be an option in keystone.conf to enable or
  disable chasing of referrals. If it is disabled, then the previous
  ldap option should be set and something should be done to remove the
  referrals from the results list.

  Edit: I'm using the Grizzly packages from the Ubuntu Cloud Archive on
  Ubuntu 12.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1233365/+subscriptions