yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #21259
[Bug 1329891] Re: Keystone Not Able to Add Users to AD/Ldap and OpenLdap due to BAD_ATT_SYNTAX (Invalid DN syntax)
>From bug 1340041 there has been a fix merged to handle the attribute
mapping [1]. Sam, I'd suggest recreating with that patch to see if that
part of your issue is resolved. As for the write access to AD, I think
Nathan's comment above helps clarify that situation/use case.
[1] https://review.openstack.org/#/c/117658/
** Changed in: keystone
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329891
Title:
Keystone Not Able to Add Users to AD/Ldap and OpenLdap due to
BAD_ATT_SYNTAX (Invalid DN syntax)
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
I tried to add users to AD/Ldap through keystone with the following curl command -
curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "test7", "password": "Devtest123"}}' http://localhost:35357/v3/users
Keystone showed the following stack trace -
__init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713
2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:773
('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), ('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:793
2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779
2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = method(context, **params)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, context, *args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = self.identity_api.create_user(ref['id'], ref)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = f(*args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = driver.create_user(user_id, user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi user_ref = self.user.create(user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi values = super(UserApi, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi conn.add_s(self._id_to_dn(values['id']), attrs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.conn.add_s(dn_utf8, ldap_attrs_utf8)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.result(msgid,all=1,timeout=self.timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = func(*args,**kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi
2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392
And the similar error happens when adding users to OpenLdap.
Here is what I found out -
AD/Ldap: There are 2 issues cause this bug.
1. in core.create(self, values), the param 'values' passes the following like what I have from my above debug message
('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
this is the list of attributes pass to the AD, except the 'id' attribute as it will be stripped in the method. And what the AD does not like is the 'enabled' attribute. Stripping it out is 1 of the two fixes.
2. in the end of core.create(self, values), there is a call as the following -
conn.add_s(self._id_to_dn(values['id']), attrs)
self._id_to_dn(values['id']) will return the following -
cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain
Somehow this cn got replaced with the 'id' instead of the actual user's name which is 'test7' and causes the second issue. And it looks like AD expects the cn is the same value of the attritube 'name' in Point 1.
OpenLdap:
it has the same issue of Point 1 like AD/Ldap, but it has no issue with Point 2.
Summary:
Stripping out the attribute 'enabled' and make the cn=<attrubute name> will fix the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329891/+subscriptions
References
