yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #46656
[Bug 1546040] Re: Group membership lookup failed with error HTTP 500
*** This bug is a duplicate of bug 1526462 ***
https://bugs.launchpad.net/bugs/1526462
thanks for confirming that 1526462 fixed the issue, i will mark this as
a duplicate
** This bug has been marked a duplicate of bug 1526462
Need support for OpenDirectory in LDAP driver
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546040
Title:
Group membership lookup failed with error HTTP 500
Status in OpenStack Identity (keystone):
New
Bug description:
When issuing "openstack user list --group <group_name> --domain
<domain>" command on a domain associated with OpenLDAP, an incorrect
LDAP query is composed and openstack-keystone report error HTTP 500.
OpenLDAP is running on a CentOS 7 host.
Openstack keystone release is Liberty running on a CentOS 7 host.
OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
openstack v: 1.7.2
Keystone log when issuing the command:
LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934
When translating the query to ldapsearch returns no results
ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"
But with a scope option as subtree, it works fine
ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"
So the bug is the scope=0 option parsed by keystone though the
query_scope option in the domain config file is set to sub.
Keystone is configured with domain specific driver enabled. The
OpenLDAP domain authenticate only user. Services accounts are still
managed by native SQL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546040/+subscriptions
References