yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1798184] Re: PY3: python3-ldap does not allow bytes for DN/RDN/field names

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1798184@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Jan 2019 22:44:03 -0000
Reply-to: Bug 1798184 <1798184@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/611190
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=eca0829c4c65e6b64f08023ce2d5a55dc329248f
Submitter: Zuul
Branch:    master

commit eca0829c4c65e6b64f08023ce2d5a55dc329248f
Author: Corey Bryant <corey.bryant@xxxxxxxxxxxxx>
Date:   Tue Oct 16 16:19:15 2018 -0400

    PY3: switch to using unicode text values
    
    In Python 3, python-ldap no longer allows bytes for some fields (DNs,
    RDNs, attribute names, queries). Instead, text values are represented
    as str, the Unicode text type. Compatibility support is provided for
    Python 2 by setting bytes_mode=False [1].
    
    Update the keystone LDAP backend to adhere to this behavior by using
    bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding
    fields that are now represented as text in python-ldap.
    
    [1] More details about byte/str usage in python-ldap can be found at:
    http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
    
    Note that at a minimum python-ldappool 2.3.1 is required. For more
    details see Depends-On's below.
    
    Change-Id: Ifdd0644cd7042407a008c85c0b2c40a971c90bc3
    Closes-Bug: #1798184
    Depends-On: https://review.openstack.org/611401
    Depends-On: https://review.openstack.org/613632
    Depends-On: https://review.openstack.org/614052


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1798184

Title:
  PY3: python3-ldap does not allow bytes for DN/RDN/field names

Status in OpenStack Identity (keystone):
  Fix Released
Status in ldappool:
  New

Bug description:
  Under Python 2, python-ldap uses bytes by default. Under Python 3 this
  is removed and bytes aren't allowed for DN/RDN/field names.

  More details are here: http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
  and here: https://github.com/python-ldap/python-ldap/blob/python-ldap-3.1.0/Lib/ldap/ldapobject.py#L111

  == initial traceback ==

  Here's the initial traceback from the failure:
  https://paste.ubuntu.com/p/67THZb2m5m/

  The last bit of the error is:

    File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 314, in _ldap_call
      result = func(*args,**kwargs)
  TypeError: simple_bind() argument 1 must be str or None, not bytes

  A closer look at func shows:

  func=<built-in method simple_bind of LDAP object at 0x7f9d0177b760>
  args=(b'cn=admin,dc=test,dc=com', b'crapper', None, None)

  == keystone ldap backend use of python-ldap ==

  In simple_bind_s() of keystone's ldap backend, who and cred are
  encoded as byte strings:

  https://github.com/openstack/keystone/blob/14.0.0/keystone/identity/backends/ldap/common.py#L885

  but that appears to no longer be valid use of python-ldap for py3.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1798184/+subscriptions

References

[Bug 1798184] [NEW] PY3: python3-ldap does not allow bytes for DN/RDN/field names
From: Corey Bryant, 2018-10-16