← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1355489] [NEW] ldap binary fields fail when code try to convert to utf8

 

Public bug reported:

When attempting to fetch a token with a ldap backed keystone
authentication, users are never able to authenticate.

Setup:
  Version: stable/icehouse
  LDAP: Active Directory.  User fields have many binary fields (i.e. thumbnail_image).
  driver=keystone.identity.backends.ldap.Identity

Observance
  Request: When attempting to fetch a token with known valid creds via: keystone token-get
  Response: The request you have made requires authentication. (HTTP 401)

Debugging Session:
During a IRC #openstack-keystone chat 8/11 with ayoung, wwriverrat1, mdorman, it was discovered the method _id_to_dn calls search without limiting the return attributes.  When the internal search is performed, each of the attributes returned from ldap are being converted to utf8 including the binary fields.  This causes the call to raise exception and quietly reject the request. If the code prevents these fields from returning, all is well.

Source (stable/icehouse): 
https://github.com/openstack/keystone/blob/stable/icehouse/keystone/common/ldap/core.py#L464-L470

Adding a search value for attrlist eliminated the error:
Changed the following line 470
    'objclass': self.object_class})
to
    'objclass': self.object_class}, attrlist=[self.id_attr])
resolved the issue.

This should be a safe fix because the actual return attributes are never
needed nor returned. NOTE: passing in a empty list did not fix the
problem.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1355489

Title:
  ldap binary fields fail when code try to convert to utf8

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When attempting to fetch a token with a ldap backed keystone
  authentication, users are never able to authenticate.

  Setup:
    Version: stable/icehouse
    LDAP: Active Directory.  User fields have many binary fields (i.e. thumbnail_image).
    driver=keystone.identity.backends.ldap.Identity

  Observance
    Request: When attempting to fetch a token with known valid creds via: keystone token-get
    Response: The request you have made requires authentication. (HTTP 401)

  Debugging Session:
  During a IRC #openstack-keystone chat 8/11 with ayoung, wwriverrat1, mdorman, it was discovered the method _id_to_dn calls search without limiting the return attributes.  When the internal search is performed, each of the attributes returned from ldap are being converted to utf8 including the binary fields.  This causes the call to raise exception and quietly reject the request. If the code prevents these fields from returning, all is well.

  Source (stable/icehouse): 
  https://github.com/openstack/keystone/blob/stable/icehouse/keystone/common/ldap/core.py#L464-L470

  Adding a search value for attrlist eliminated the error:
  Changed the following line 470
      'objclass': self.object_class})
  to
      'objclass': self.object_class}, attrlist=[self.id_attr])
  resolved the issue.

  This should be a safe fix because the actual return attributes are
  never needed nor returned. NOTE: passing in a empty list did not fix
  the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1355489/+subscriptions


Follow ups

References