[Yahoo-eng-team] [Bug 1302106] Re: LDAP non-URL safe characters cause auth failure

Alan Pevec Wed, 21 May 2014 10:21:49 -0700

** Also affects: keystone/havana
   Importance: Undecided
       Status: New


** Changed in: keystone/havana
   Importance: Undecided => High

** Changed in: keystone/havana
       Status: New => In Progress

** Changed in: keystone/havana
     Assignee: (unassigned) => Dolph Mathews (dolph)

** Tags removed: havana-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1302106

Title:
  LDAP non-URL safe characters cause auth failure

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  In Progress

Bug description:
  An Openstack user attempting to integrate Keystone with AD has
  reported that when his user contains a comma (full name CN='Doe,
  John'), a 'Bad search filter' error is thrown. If the full name CN is
  instead 'John Doe', authorization succeeds.

  dpkg -l |grep keystone
  ii  keystone                             1:2013.2.2-0ubuntu1~cloud0           
               OpenStack identity service - Daemons
  ii  python-keystone                      1:2013.2.2-0ubuntu1~cloud0           
               OpenStack identity service - Python library
  ii  python-keystoneclient                1:0.3.2-0ubuntu1~cloud0              
               Client library for OpenStack Identity API

  Relevant error message:
  Authorization Failed: An unexpected error prevented the server from 
fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)

  Relevant stack trace:
  2014-03-31 15:44:27.459 3018 ERROR keystone.common.wsgi [-] {'desc': 'Bad 
search filter'}
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi Traceback (most 
recent call last):
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in 
__call__
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     result = 
method(context, **params)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 94, in 
authenticate
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     context, auth)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 272, in 
_authenticate_local
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     user_id, 
tenant_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 369, in 
_get_project_roles_and_ref
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     user_id, 
tenant_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 475, in 
get_roles_for_user_and_project
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     user_id, 
tenant_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 160, in 
get_roles_for_user_and_project
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     group_role_list = 
_get_group_project_roles(user_id, project_ref)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 111, in 
_get_group_project_roles
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     group_refs = 
self.identity_api.list_groups_for_user(user_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 177, in 
wrapper
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     return f(self, 
*args, **kwargs)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 425, in 
list_groups_for_user
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     group_list = 
driver.list_groups_for_user(user_id)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 
154, in list_groups_for_user
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     return 
self.group.list_user_groups(user_dn)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 
334, in list_user_groups
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     memberships = 
self.get_all(query)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 388, in 
get_all
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     for x in 
self._ldap_get_all(filter)]
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 364, in 
_ldap_get_all
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     
self.attribute_mapping.values())
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in 
search_s
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     res = 
self.conn.search_s(dn, scope, query, attrlist)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     return 
self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 495, in search_ext_s
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     msgid = 
self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 491, in search_ext
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     timeout,sizelimit,
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi   File 
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi     result = 
func(*args,**kwargs)
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi FILTER_ERROR: 
{'desc': 'Bad search filter'}
  2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1302106/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1302106] Re: LDAP non-URL safe characters cause auth failure

Reply via email to