← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1396763] [NEW] user id beginning with 0 cannot authenticate through ldap

 

Public bug reported:

In the case where the [ldap] user_id_attribute = uid

Lets say a user attempts to authenticate with stevemar@xxxxxxxxxxx, and
the UID returned is 01234567.

The following log entries show that the leading 0 is dropped:

keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(emailAddress=stevemar@xxxxxxxxxxx)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
keystone.identity.core [-] ID Mapping - Domain ID: default, Default Driver: True, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /opt/stack/keystone/keystone/identity/core.py:321
keystone.identity.core [-] Local ID: 1234567 _set_domain_id_and_mapping_for_single_ref /opt/stack/keystone/keystone/identity/core.py:339
keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /opt/stack/keystone/keystone/common/ldap/core.py:575

** here is where the leading 0 is dropped **

keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(uid=1234567)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
keystone.common.wsgi [-] Authorization failed. Invalid username or password (Disable debug mode to suppress these details.)

The main code in question is the following in keystone.common.ldap.core.py
https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L110-L128

    try:
        return LDAP_VALUES[val]
    except KeyError:
        pass
    try:
        return int(val)
    except ValueError:
        pass
    return utf8_decode(val)

Where we attempt to convert all fields to int, and if it fails proceed
to string.

On a semi-related note: the PyCADF library explicitly expects user_ids
to be strings, so I had to add str() to user_id in the
_get_request_audit_info function, in notifications.py:

  initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=user_id, host=host)
    to
  initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=str(user_id), host=host)

** Affects: keystone
     Importance: High
         Status: Confirmed

** Description changed:

  In the case where the [ldap] user_id_attribute = uid
  
  Lets say a user attempts to authenticate with stevemar@xxxxxxxxxxx, and
  the UID returned is 01234567.
  
  The following log entries show that the leading 0 is dropped:
  
  keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(emailAddress=stevemar@xxxxxxxxxxx)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
  keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
  keystone.identity.core [-] ID Mapping - Domain ID: default, Default Driver: True, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /opt/stack/keystone/keystone/identity/core.py:321
- keystone.identity.core [-] Local ID: 11918649 _set_domain_id_and_mapping_for_single_ref /opt/stack/keystone/keystone/identity/core.py:339
+ keystone.identity.core [-] Local ID: 1234567 _set_domain_id_and_mapping_for_single_ref /opt/stack/keystone/keystone/identity/core.py:339
  keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /opt/stack/keystone/keystone/common/ldap/core.py:575
  
  ** here is where the leading 0 is dropped **
  
  keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(uid=1234567)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
  keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
  keystone.common.wsgi [-] Authorization failed. Invalid username or password (Disable debug mode to suppress these details.)
  
  The main code in question is the following in keystone.common.ldap.core.py
  https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L110-L128
  
-     try:
-         return LDAP_VALUES[val]
-     except KeyError:
-         pass
-     try:
-         return int(val)
-     except ValueError:
-         pass
-     return utf8_decode(val)
+     try:
+         return LDAP_VALUES[val]
+     except KeyError:
+         pass
+     try:
+         return int(val)
+     except ValueError:
+         pass
+     return utf8_decode(val)
  
  Where we attempt to convert all fields to int, and if it fails proceed
  to string.
  
  On a semi-related note: the PyCADF library explicitly expects user_ids
  to be strings, so I had to add str() to user_id in the
  _get_request_audit_info function, in notifications.py:
  
-   initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=user_id, host=host)
-     to
-   initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=str(user_id), host=host)
+   initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=user_id, host=host)
+     to
+   initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=str(user_id), host=host)

** Changed in: keystone
       Status: New => Confirmed

** Changed in: keystone
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1396763

Title:
  user id beginning with 0 cannot authenticate through ldap

Status in OpenStack Identity (Keystone):
  Confirmed

Bug description:
  In the case where the [ldap] user_id_attribute = uid

  Lets say a user attempts to authenticate with stevemar@xxxxxxxxxxx,
  and the UID returned is 01234567.

  The following log entries show that the leading 0 is dropped:

  keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(emailAddress=stevemar@xxxxxxxxxxx)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
  keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
  keystone.identity.core [-] ID Mapping - Domain ID: default, Default Driver: True, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /opt/stack/keystone/keystone/identity/core.py:321
  keystone.identity.core [-] Local ID: 1234567 _set_domain_id_and_mapping_for_single_ref /opt/stack/keystone/keystone/identity/core.py:339
  keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /opt/stack/keystone/keystone/common/ldap/core.py:575

  ** here is where the leading 0 is dropped **

  keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(uid=1234567)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
  keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
  keystone.common.wsgi [-] Authorization failed. Invalid username or password (Disable debug mode to suppress these details.)

  The main code in question is the following in keystone.common.ldap.core.py
  https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L110-L128

      try:
          return LDAP_VALUES[val]
      except KeyError:
          pass
      try:
          return int(val)
      except ValueError:
          pass
      return utf8_decode(val)

  Where we attempt to convert all fields to int, and if it fails proceed
  to string.

  On a semi-related note: the PyCADF library explicitly expects user_ids
  to be strings, so I had to add str() to user_id in the
  _get_request_audit_info function, in notifications.py:

    initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=user_id, host=host)
      to
    initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=str(user_id), host=host)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1396763/+subscriptions


Follow ups

References