← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #35302

[Bug 1474501] [NEW] Bad search filter: None in query

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Environment: Ubuntu 14.04 with stable/kilo openstack packages installed

I configured keystone to have one domain ('Default') configured with SQL
as the backend to service the service users.  I configured a secondary
domain ('ldap.vmware.com') to service all of the LDAP users.  I did this
using the multi-domain backend support.

I was successful in creating users for the services (nova, cinder,
glance, neutron, etc) and creating grants with admin role on service
tenant.  Then I need to grant the admin role on a admin project on the
ldap domain.  This is where things broke.

In order to assign the admin role to the ldap user, I need to know the
user id for the openstackclient.  To do this, I used:

openstack --os-identity-api-version 3 --os-url
"http://localhost:35357/v3"; --os-token 52c6706iDcaDAf7u45se user show
--domain ldap.vmware.com vio-autouser@xxxxxxxxxx

This command results in a 500 error from keystone.
http://paste.openstack.org/show/375004/

The root cause is that there is a 'None' in the search filter.
"(&None(userPrincipalName=vio-autouser@xxxxxxxxxx))"

Strangely, everything works perfectly if I stick with a single 'Default'
domain with LDAP backend.  It might be related to using the openstack
CLI since that is also new in this environment.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1474501

Title:
  Bad search filter: None in query

Status in Keystone:
  New

Bug description:
  Environment: Ubuntu 14.04 with stable/kilo openstack packages
  installed

  I configured keystone to have one domain ('Default') configured with
  SQL as the backend to service the service users.  I configured a
  secondary domain ('ldap.vmware.com') to service all of the LDAP users.
  I did this using the multi-domain backend support.

  I was successful in creating users for the services (nova, cinder,
  glance, neutron, etc) and creating grants with admin role on service
  tenant.  Then I need to grant the admin role on a admin project on the
  ldap domain.  This is where things broke.

  In order to assign the admin role to the ldap user, I need to know the
  user id for the openstackclient.  To do this, I used:

  openstack --os-identity-api-version 3 --os-url
  "http://localhost:35357/v3"; --os-token 52c6706iDcaDAf7u45se user show
  --domain ldap.vmware.com vio-autouser@xxxxxxxxxx

  This command results in a 500 error from keystone.
  http://paste.openstack.org/show/375004/

  The root cause is that there is a 'None' in the search filter.
  "(&None(userPrincipalName=vio-autouser@xxxxxxxxxx))"

  Strangely, everything works perfectly if I stick with a single
  'Default' domain with LDAP backend.  It might be related to using the
  openstack CLI since that is also new in this environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1474501/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next