yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1800077] [NEW] LDAP Referrals were returned and ignored

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Divya K Konoor <dikonoor@xxxxxxxxxx>
Date: Fri, 26 Oct 2018 05:36:15 -0000
Reply-to: Bug 1800077 <1800077@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I am using OpenStack with a Windows Active Directory Server, such that
the [LDAP] chase referrals attribute is set to True. The LDAP search
flow reaches the convert_ldap_result(ldap_result) function inside
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py
and the search returns one or more referrals as well. The flow logs the
below:

https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L180-L182

if at_least_one_referral:
        LOG.debug('Referrals were returned and ignored. Enable referral '
'chasing in keystone.conf via [ldap] chase_referrals')

In my case, the above statement does get logged but the log statement is either incorrect or misleading. There are 2 problems here >>
1. Why does the ldap search bother to search and return referrals if they are going to be ignored anyway? 
2. The above message also leads us to believe that the referrals were ignored because the value of chase referrals was False, which is clearly not the case here.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1800077

Title:
  LDAP Referrals were returned and ignored

Status in OpenStack Identity (keystone):
  New

Bug description:
  I am using OpenStack with a Windows Active Directory Server, such that
  the [LDAP] chase referrals attribute is set to True. The LDAP search
  flow reaches the convert_ldap_result(ldap_result) function inside
  https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py
  and the search returns one or more referrals as well. The flow logs
  the below:

  https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L180-L182

  if at_least_one_referral:
          LOG.debug('Referrals were returned and ignored. Enable referral '
  'chasing in keystone.conf via [ldap] chase_referrals')

  In my case, the above statement does get logged but the log statement is either incorrect or misleading. There are 2 problems here >>
  1. Why does the ldap search bother to search and return referrals if they are going to be ignored anyway? 
  2. The above message also leads us to believe that the referrals were ignored because the value of chase referrals was False, which is clearly not the case here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1800077/+subscriptions