yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1546040] [NEW] Group membership lookup failed with error HTTP 500

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alexandre Carnal <1546040@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Feb 2016 10:53:50 -0000
Reply-to: Bug 1546040 <1546040@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When issuing "openstack user list --group <group_name> --domain
<domain>" command on a domain associated with OpenLDAP, an incorrect
LDAP query is composed and openstack-keystone report error HTTP 500.

OpenLDAP is running on a CentOS 7 host.
Openstack keystone release is Liberty running on a CentOS 7 host.
OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
openstack v: 1.7.2

Keystone log when issuing the command:
LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934

When translating the query to ldapsearch returns no results
ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"

But with a scope option as subtree, it works fine
ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"

So the bug is the scope=0 option parsed by keystone though the
query_scope option in the domain config file is set to sub.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: keystone liberty openldap

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546040

Title:
  Group membership lookup failed with error HTTP 500

Status in OpenStack Identity (keystone):
  New

Bug description:
  When issuing "openstack user list --group <group_name> --domain
  <domain>" command on a domain associated with OpenLDAP, an incorrect
  LDAP query is composed and openstack-keystone report error HTTP 500.

  OpenLDAP is running on a CentOS 7 host.
  Openstack keystone release is Liberty running on a CentOS 7 host.
  OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
  openstack v: 1.7.2

  Keystone log when issuing the command:
  LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934

  When translating the query to ldapsearch returns no results
  ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"

  But with a scope option as subtree, it works fine
  ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"

  So the bug is the scope=0 option parsed by keystone though the
  query_scope option in the domain config file is set to sub.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546040/+subscriptions

Follow ups

[Bug 1546040] Re: Group membership lookup failed with error HTTP 500
From: Steve Martinelli, 2016-02-21