OpenStack Identity (keystone)

LDAP non-URL safe characters cause auth failure

Bug #1302106 reported by Kevin Stevens
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Brant Knudson
OpenStack Identity (keystone) 2014.1 "icehouse"
Havana
Fix Released
High
Dolph Mathews
OpenStack Identity (keystone) 2013.2.4

Bug Description

An Openstack user attempting to integrate Keystone with AD has reported that when his user contains a comma (full name CN='Doe, John'), a 'Bad search filter' error is thrown. If the full name CN is instead 'John Doe', authorization succeeds.

dpkg -l |grep keystone
ii keystone 1:2013.2.2-0ubuntu1~cloud0 OpenStack identity service - Daemons
ii python-keystone 1:2013.2.2-0ubuntu1~cloud0 OpenStack identity service - Python library
ii python-keystoneclient 1:0.3.2-0ubuntu1~cloud0 Client library for OpenStack Identity API

Relevant error message:
Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)

Relevant stack trace:
2014-03-31 15:44:27.459 3018 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result = method(context, **params)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 94, in authenticate
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi context, auth)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 272, in _authenticate_local
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 369, in _get_project_roles_and_ref
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 475, in get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 160, in get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_role_list = _get_group_project_roles(user_id, project_ref)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 111, in _get_group_project_roles
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_refs = self.identity_api.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 177, in wrapper
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 425, in list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_list = driver.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 154, in list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return self.group.list_user_groups(user_dn)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 334, in list_user_groups
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi memberships = self.get_all(query)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 388, in get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi for x in self._ldap_get_all(filter)]
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 364, in _ldap_get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi self.attribute_mapping.values())
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi res = self.conn.search_s(dn, scope, query, attrlist)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 495, in search_ext_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 491, in search_ext
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi timeout,sizelimit,
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result = func(*args,**kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi

Tags: ldap
Dolph Mathews (dolph)
Changed in keystone:
status: New → Triaged
importance: Undecided → Critical
importance: Critical → High
milestone: none → icehouse-rc2
Dolph Mathews (dolph)
tags: added: havana-backport-potential icehouse-rc-potential
Thierry Carrez (ttx)
tags: removed: icehouse-rc-potential
Revision history for this message
Brant Knudson (blk-u) wrote :

Looks like OpenLDAP accepts a search filter like "(cn=Doe, John)". It also accepts "(cn=Doe\\2c\\20John)"

I also tried this with an active directory server and it didn't have a problem with the escaped or unescaped filter:

$ ldapsearch -LLL -s one -b "cn=Users,dc=cfs1,dc=us" "(cn=Doe, John)" cn
dn: CN=Doe\, John,CN=Users,DC=cfs1,DC=us
cn: Doe, John

$ ldapsearch -LLL -s one -b "cn=Users,dc=cfs1,dc=us" "(cn=Doe\\2c\\20John)" cn
dn: CN=Doe\, John,CN=Users,DC=cfs1,DC=us
cn: Doe, John

Maybe there's different versions of AD that accept a ',' in the filter or not.

It actually looks like the error is coming from the python-ldap library and not from the server.

Revision history for this message
Dolph Mathews (dolph) wrote :

Kevin: what version of python-ldap is installed?

tags: added: icehosue-rc-potential
Changed in keystone:
milestone: icehouse-rc2 → none
Revision history for this message
Brant Knudson (blk-u) wrote :

OK, I was able to recreate this... keystone is generating a filter like

 (&(&(objectClass=groupOfNames)(member=cn=Doe\, John,ou=Users,dc=openstack,dc=org))(objectClass=groupOfNames))

which even ldapsearch doesn't like. It doesn't mind

  (&(&(objectClass=groupOfNames)(member=cn=Doe, John,ou=Users,dc=openstack,dc=org))(objectClass=groupOfNames))

Brant Knudson (blk-u)
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/85402

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/85458

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/85460

Dolph Mathews (dolph)
tags: added: icehouse-rc-potential
removed: icehosue-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/85478

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/85402
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=594024a4413560dc433ccfeea869493b23100cc7
Submitter: Jenkins
Branch: master

commit 594024a4413560dc433ccfeea869493b23100cc7
Author: Brant Knudson <email address hidden>
Date: Fri Apr 4 10:50:07 2014 -0500

    Fix invalid LDAP filter for user ID with comma

    The Keystone server would respond with a 500 error when configured
    to use the LDAP identity backend and a request is made to get a
    token for a user that has an ID with a comma. The response is like:

     Authorization Failed: An unexpected error prevented the server from
     fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)

    This is because the user DN wasn't properly escaped in the filter
    for the query to get the groups that the user is a member of.

    Closes-Bug: #1302106

    Change-Id: Ib4886e66af0e979fcf23a84bcd51b07034547cb9

Changed in keystone:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in keystone:
milestone: none → icehouse-rc2
Thierry Carrez (ttx)
tags: removed: icehouse-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (milestone-proposed)

Reviewed: https://review.openstack.org/85460
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5b5331fa02de38207cd81922d5794192ebb4b77a
Submitter: Jenkins
Branch: milestone-proposed

commit 5b5331fa02de38207cd81922d5794192ebb4b77a
Author: Brant Knudson <email address hidden>
Date: Fri Apr 4 10:50:07 2014 -0500

    Fix invalid LDAP filter for user ID with comma

    The Keystone server would respond with a 500 error when configured
    to use the LDAP identity backend and a request is made to get a
    token for a user that has an ID with a comma. The response is like:

     Authorization Failed: An unexpected error prevented the server from
     fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)

    This is because the user DN wasn't properly escaped in the filter
    for the query to get the groups that the user is a member of.

    Closes-Bug: #1302106

    Change-Id: Ib4886e66af0e979fcf23a84bcd51b07034547cb9

Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/85478
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bc8f37ab324f9d044dfced13bf631c3a005f8c99
Submitter: Jenkins
Branch: master

commit bc8f37ab324f9d044dfced13bf631c3a005f8c99
Author: Brant Knudson <email address hidden>
Date: Fri Apr 4 15:24:30 2014 -0500

    Add tests for user ID with comma

    There were no tests where the user ID had a comma.

    Change-Id: I3378e451ec3110ac11868a63494b0c36267d5a25
    Related-Bug: #1302106

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/87142

Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc2 → 2014.1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/87142
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f32e86f1f56c8b004f06bc58e25a06b9fde1600c
Submitter: Jenkins
Branch: master

commit f32e86f1f56c8b004f06bc58e25a06b9fde1600c
Author: Brant Knudson <email address hidden>
Date: Sun Apr 13 19:10:14 2014 -0500

    Escape values in LDAP search filters

    LDAP search filter strings need to have special characters escaped
    in order to be valid. There were some places where filter strings
    were constructed where the value was not escaped.

    Change-Id: Ib7870bc92d3af9066bb15e863cac4abd06f00768
    Related-Bug: #1302106

Alan Pevec (apevec)
tags: removed: havana-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/havana)

Reviewed: https://review.openstack.org/85458
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1d98235fc91e152fb2f6d7e47224b043154e37a2
Submitter: Jenkins
Branch: stable/havana

commit 1d98235fc91e152fb2f6d7e47224b043154e37a2
Author: Brant Knudson <email address hidden>
Date: Fri Apr 4 10:50:07 2014 -0500

    Fix invalid LDAP filter for user ID with comma

    The Keystone server would respond with a 500 error when configured
    to use the LDAP identity backend and a request is made to get a
    token for a user that has an ID with a comma. The response is like:

     Authorization Failed: An unexpected error prevented the server from
     fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)

    This is because the user DN wasn't properly escaped in the filter
    for the query to get the groups that the user is a member of.

    Closes-Bug: #1302106

    Change-Id: Ib4886e66af0e979fcf23a84bcd51b07034547cb9

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.