yahoo-eng-team team mailing list archive

[Steve Martinelli <stevemar@xxxxxxxxxx>]

Public bug reported:

When attempting to authenticate with our ldap, we were running into
trouble getting the right value to show up for the user's enabled
attribute.

The result from ldap was:
[('uid=123456789,c=us,ou=our_ldap,o=ibm.com', {'mail': ['shaun@xxxxxxxx'], 'passwordisexpired': ['false'], 'uid': ['123456789']})]

which is turned into:
[(u'uid=123456789,c=us,ou=our_ldap,o=ibm.com', {'mail': [u'shaun@xxxxxxxx'], 'passwordisexpired': [u'false'], 'uid': [123456789]})]

the _ldap_res_to_model  function in ldap/core.py seems to be OK, but the
same one at the identity backend for ldap seems to have a few bugs:

the object before:
{'email': u'shaun@xxxxxxxx', 'enabled': u'false', 'id': 123456789, 'name': u'shaun@xxxxxxxx'} 

the object after:
{'dn': u'uid=123456789,c=us,ou=our_ldap,o=ibm.com', 'email': u'shaun@xxxxxxxx', 'enabled': False, 'id': 123456789, 'name': u'shaun@xxxxxxxx'} 

Note that the enabled field is still False, just a boolean now instead
of string.

Looks like at:
https://github.com/openstack/keystone/blob/stable/juno/keystone/identity/backends/ldap.py#L223-L227

The check for if type(str) is insufficient, and calling lower, without
the parentheses is pointless.

** Affects: keystone
     Importance: Undecided
     Assignee: Steve Martinelli (stevemar)
         Status: In Progress


** Tags: icehouse-backport-potential juno-backport-potential

** Tags added: juno-backport-potential

** Tags added: icehouse-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1415271

Title:
  user_enabled_attribute string support is poor

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  When attempting to authenticate with our ldap, we were running into
  trouble getting the right value to show up for the user's enabled
  attribute.

  The result from ldap was:
  [('uid=123456789,c=us,ou=our_ldap,o=ibm.com', {'mail': ['shaun@xxxxxxxx'], 'passwordisexpired': ['false'], 'uid': ['123456789']})]

  which is turned into:
  [(u'uid=123456789,c=us,ou=our_ldap,o=ibm.com', {'mail': [u'shaun@xxxxxxxx'], 'passwordisexpired': [u'false'], 'uid': [123456789]})]

  the _ldap_res_to_model  function in ldap/core.py seems to be OK, but
  the same one at the identity backend for ldap seems to have a few
  bugs:

  the object before:
  {'email': u'shaun@xxxxxxxx', 'enabled': u'false', 'id': 123456789, 'name': u'shaun@xxxxxxxx'} 

  the object after:
  {'dn': u'uid=123456789,c=us,ou=our_ldap,o=ibm.com', 'email': u'shaun@xxxxxxxx', 'enabled': False, 'id': 123456789, 'name': u'shaun@xxxxxxxx'} 

  Note that the enabled field is still False, just a boolean now instead
  of string.

  Looks like at:
  https://github.com/openstack/keystone/blob/stable/juno/keystone/identity/backends/ldap.py#L223-L227

  The check for if type(str) is insufficient, and calling lower, without
  the parentheses is pointless.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1415271/+subscriptions