yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1546040] Re: Group membership lookup failed with error HTTP 500

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <stevemar@xxxxxxxxxx>
Date: Sun, 21 Feb 2016 06:19:01 -0000
Reply-to: Bug 1546040 <1546040@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1526462 ***
    https://bugs.launchpad.net/bugs/1526462

thanks for confirming that 1526462 fixed the issue, i will mark this as
a duplicate

** This bug has been marked a duplicate of bug 1526462
   Need support for OpenDirectory in LDAP driver

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546040

Title:
  Group membership lookup failed with error HTTP 500

Status in OpenStack Identity (keystone):
  New

Bug description:
  When issuing "openstack user list --group <group_name> --domain
  <domain>" command on a domain associated with OpenLDAP, an incorrect
  LDAP query is composed and openstack-keystone report error HTTP 500.

  OpenLDAP is running on a CentOS 7 host.
  Openstack keystone release is Liberty running on a CentOS 7 host.
  OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
  openstack v: 1.7.2

  Keystone log when issuing the command:
  LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934

  When translating the query to ldapsearch returns no results
  ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"

  But with a scope option as subtree, it works fine
  ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"

  So the bug is the scope=0 option parsed by keystone though the
  query_scope option in the domain config file is set to sub.

  Keystone is configured with domain specific driver enabled. The
  OpenLDAP domain authenticate only user. Services accounts are still
  managed by native SQL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546040/+subscriptions

References

[Bug 1546040] [NEW] Group membership lookup failed with error HTTP 500
From: Alexandre Carnal, 2016-02-16