OpenStack Identity (keystone)

ldap/core deleteTree not always supported

Bug #1282355 reported by Richard Megginson on 2014-02-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Richard Megginson	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Not every LDAP server supports CONTROL_TREEDELETE (OID 1.2.840.113556.1.4.805)
e.g. openldap, 389
The LDAP server will respond with ldap.NOT_ALLOWED_ON_NONLEAF in that case, and
the client will have to fallback on a recursive delete (note this is what openldap
ldapdelete -r does).

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/74897

Changed in keystone:
assignee:	nobody → Richard Megginson (rmeggins)
status:	New → In Progress

Dolph Mathews (dolph) on 2014-02-20

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-03-06:

Keystone has an option

[ldap]
allow_subtree_delete = false

That means that the Keystone server shouldn't be making subtree deletes.

So this seems to be working as designed.

Revision history for this message

Richard Megginson (rmeggins) wrote on 2014-03-06:

Ok. Would you guys rather just permanently disallow ldap subtree delete with the config option, or would you rather I keep going and do the deletion sorted by the length of the DN rather than by the reverse() of the entry list?

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-03-09:

Looks like the documentation could be improved: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n791 . I submitted a change that I think improves the documentation: https://review.openstack.org/#/c/78497/

So I think this is working as designed.

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-04-04:

Should this be closed? Code review is abandoned and I'm not sure why Brant didn't change the bug status here?

tags:	added: ldap
Changed in keystone:
status:	In Progress → Incomplete

Revision history for this message

Richard Megginson (rmeggins) wrote on 2014-04-04:

Why is the status Incomplete?

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-04-04:

As described above, I'm not clear on whether this should remain as an open issue or not.

Openstack Gerrit (openstack-gerrit) on 2014-04-25

Changed in keystone:
status:	Incomplete → In Progress

OpenStack Infra (hudson-openstack) on 2014-08-21

Changed in keystone:
assignee:	Richard Megginson (rmeggins) → David Stanek (dstanek)

Dolph Mathews (dolph) on 2014-09-08

Changed in keystone:
milestone:	none → juno-rc1

OpenStack Infra (hudson-openstack) on 2014-09-10

Changed in keystone:
assignee:	David Stanek (dstanek) → Richard Megginson (rmeggins)

OpenStack Infra (hudson-openstack) on 2014-09-15

Changed in keystone:
assignee:	Richard Megginson (rmeggins) → Brant Knudson (blk-u)

Brant Knudson (blk-u) on 2014-09-15

Changed in keystone:
assignee:	Brant Knudson (blk-u) → Richard Megginson (rmeggins)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/74897
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=519161422dab4c25df79b6d4db35f7613847afd6
Submitter: Jenkins
Branch: master

commit 519161422dab4c25df79b6d4db35f7613847afd6
Author: Rich Megginson <email address hidden>
Date: Wed Feb 19 17:56:55 2014 -0700

ldap/core deleteTree not always supported

    Most LDAP servers do not support CONTROL_TREEDELETE
    (OID 1.2.840.113556.1.4.805) e.g. openldap, 389, and many others.
    The LDAP server will respond with ldap.NOT_ALLOWED_ON_NONLEAF
    in that case, and the client will have to fallback on doing an
    LDAP search to get the list of entries to delete, then deleting
    the entries in order of child to parent, since LDAP forbids the
    deletion of a parent entry which has children. The simplest way
    to generate a child to parent ordering is to delete the entries
    in the order of the length of the DN, from longest to shortest.

Closes-Bug: #1282355

Change-Id: I3f08cc4bc890eec9f91945941c3636cb0b30658a

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-30

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.