yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #18967
[Bug 1355489] [NEW] ldap binary fields fail when code try to convert to utf8
Public bug reported:
When attempting to fetch a token with a ldap backed keystone
authentication, users are never able to authenticate.
Setup:
Version: stable/icehouse
LDAP: Active Directory. User fields have many binary fields (i.e. thumbnail_image).
driver=keystone.identity.backends.ldap.Identity
Observance
Request: When attempting to fetch a token with known valid creds via: keystone token-get
Response: The request you have made requires authentication. (HTTP 401)
Debugging Session:
During a IRC #openstack-keystone chat 8/11 with ayoung, wwriverrat1, mdorman, it was discovered the method _id_to_dn calls search without limiting the return attributes. When the internal search is performed, each of the attributes returned from ldap are being converted to utf8 including the binary fields. This causes the call to raise exception and quietly reject the request. If the code prevents these fields from returning, all is well.
Source (stable/icehouse):
https://github.com/openstack/keystone/blob/stable/icehouse/keystone/common/ldap/core.py#L464-L470
Adding a search value for attrlist eliminated the error:
Changed the following line 470
'objclass': self.object_class})
to
'objclass': self.object_class}, attrlist=[self.id_attr])
resolved the issue.
This should be a safe fix because the actual return attributes are never
needed nor returned. NOTE: passing in a empty list did not fix the
problem.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1355489
Title:
ldap binary fields fail when code try to convert to utf8
Status in OpenStack Identity (Keystone):
New
Bug description:
When attempting to fetch a token with a ldap backed keystone
authentication, users are never able to authenticate.
Setup:
Version: stable/icehouse
LDAP: Active Directory. User fields have many binary fields (i.e. thumbnail_image).
driver=keystone.identity.backends.ldap.Identity
Observance
Request: When attempting to fetch a token with known valid creds via: keystone token-get
Response: The request you have made requires authentication. (HTTP 401)
Debugging Session:
During a IRC #openstack-keystone chat 8/11 with ayoung, wwriverrat1, mdorman, it was discovered the method _id_to_dn calls search without limiting the return attributes. When the internal search is performed, each of the attributes returned from ldap are being converted to utf8 including the binary fields. This causes the call to raise exception and quietly reject the request. If the code prevents these fields from returning, all is well.
Source (stable/icehouse):
https://github.com/openstack/keystone/blob/stable/icehouse/keystone/common/ldap/core.py#L464-L470
Adding a search value for attrlist eliminated the error:
Changed the following line 470
'objclass': self.object_class})
to
'objclass': self.object_class}, attrlist=[self.id_attr])
resolved the issue.
This should be a safe fix because the actual return attributes are
never needed nor returned. NOTE: passing in a empty list did not fix
the problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1355489/+subscriptions
Follow ups
References