yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1354315] Re: REMOTE_USER as empty string results in authentication failure

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Sep 2014 14:32:46 -0000
Reply-to: Bug 1354315 <1354315@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1354315

Title:
  REMOTE_USER as empty string results in authentication failure

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  On some federation setups (observed on Apache 2.4.7 + shibboleth 2.5.2, on Ubuntu 14.04) the REMOTE_USER environment variable is set to the empty string when performing a SAML-backed authentication, even though shibboleth is configured so that it doesn't populate REMOTE_USER with any assertion.
  This causes the external auth method to take over the expected saml2 auth method, and results in a 401 failure since user '' cannot be found.
  A workaround is to disable the external auth method in /etc/keystone/keystone.conf.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1354315/+subscriptions

References

[Bug 1354315] [NEW] REMOTE_USER as empty string results in authentication failure
From: Matthieu Huin, 2014-08-08