OpenStack Identity (keystone)

LDAP attributes mapped to None can cause 500 errors

Bug #1335437 reported by Nathan Kinder
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Nathan Kinder
OpenStack Identity (keystone) 2014.2 "juno"
Icehouse
Fix Released
Low
Nathan Kinder
OpenStack Identity (keystone) 2014.1.3

Bug Description

When LDAP is being used as a backend, attributes that are mapped to 'None' will trigger a 500 error if they are not also configured to be ignored. This can be easily reproduced by modifying the default config as follows:

-------------------------------------------------------------
# List of attributes stripped off the user on update. (list
# value)
#user_attribute_ignore=default_project_id,tenants
user_attribute_ignore=tenants

# LDAP attribute mapped to default_project_id for users.
# (string value)
#user_default_project_id_attribute=<None>
-------------------------------------------------------------

If you then perform a 'keystone user-list', it will trigger a 500 error:

-------------------------------------------------------------
[root@keystone ~(keystone_admin)]# keystone user-list
Authorization Failed: An unexpected error prevented the server from fulfilling your request. (HTTP 500)
-------------------------------------------------------------

The end of the stacktrace in keystone.log clearly shows the problem:

-------------------------------------------------------------
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 502, in _ldap_res_to_model
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi v = lower_res[self.attribute_mapping.get(k, k).lower()]
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi AttributeError: 'NoneType' object has no attribute 'lower'
-------------------------------------------------------------

Nathan Kinder (nkinder)
Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/103325

Alan Pevec (apevec)
tags: added: icehouse-backport-potential
Changed in keystone:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/103325
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=10a3edb7800d380ed72fcbbaae98251998c0e2c7
Submitter: Jenkins
Branch: master

commit 10a3edb7800d380ed72fcbbaae98251998c0e2c7
Author: Nathan Kinder <email address hidden>
Date: Sat Jun 28 08:05:42 2014 -0700

    Implicitly ignore attributes that are mapped to None in LDAP

    Attributes that are mapped to None in LDAP trigger a 500 error when
    performing a search if they are not explicitly ignored in keystone's
    configuration. These attributes should always be ignored, even if
    the admin left the attribute out of the ignore list.

    Change-Id: Ibbabdd0013059d5720250816764021a0b3ce8ce0
    Closes-bug: #1335437

Changed in keystone:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in keystone:
milestone: none → juno-2
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/113744

Alan Pevec (apevec)
tags: removed: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/icehouse)

Reviewed: https://review.openstack.org/113744
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c6cd627ea09e7d0dc40eee58ab2784353a71b2e0
Submitter: Jenkins
Branch: stable/icehouse

commit c6cd627ea09e7d0dc40eee58ab2784353a71b2e0
Author: Nathan Kinder <email address hidden>
Date: Sat Jun 28 08:05:42 2014 -0700

    Implicitly ignore attributes that are mapped to None in LDAP

    Attributes that are mapped to None in LDAP trigger a 500 error when
    performing a search if they are not explicitly ignored in keystone's
    configuration. These attributes should always be ignored, even if
    the admin left the attribute out of the ignore list.

    Change-Id: Ibbabdd0013059d5720250816764021a0b3ce8ce0
    Closes-bug: #1335437
    (cherry picked from commit 10a3edb7800d380ed72fcbbaae98251998c0e2c7)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ryan Hsu (<email address hidden>) on branch: master
Review: https://review.openstack.org/121711
Reason: Testing

Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.