authenticate ldap binary fields fail when converting fields to utf8
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Nathan Kinder | ||
Icehouse |
Fix Released
|
Medium
|
Nathan Kinder |
Bug Description
When attempting to fetch a token with a ldap backed keystone authentication, users are never able to authenticate.
Setup:
Version: stable/icehouse
LDAP: Active Directory. User fields have many binary fields (i.e. thumbnail_image).
driver=
Observance
Request: When attempting to fetch a token with known valid creds via: keystone token-get
Response: The request you have made requires authentication. (HTTP 401)
Debugging Session:
During a IRC #openstack-keystone chat 8/11 with ayoung, wwriverrat1, mdorman, it was discovered the method _id_to_dn calls search without limiting the return attributes. When the internal search is performed, each of the attributes returned from ldap are being converted to utf8 including the binary fields. This causes the call to raise exception and quietly reject the request. If the code prevents these fields from returning, all is well.
Source (stable/icehouse):
https:/
Adding a search value for attrlist eliminated the error:
Changed the following line 470
'objclass': self.object_class})
to
'objclass': self.object_class}, attrlist=
resolved the issue.
This should be a safe fix because the actual return attributes are never needed nor returned. NOTE: passing in a empty list did not fix the problem.
tags: | added: icehouse-backport-potential |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: ldap performance |
summary: |
- ldap binary fields fail when code try to convert to utf8 + authenticate ldap binary fields fail when converting fields to utf8 |
tags: | removed: icehouse-backport-potential |
Changed in keystone: | |
milestone: | none → juno-rc1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-rc1 → 2014.2 |
This fix is not working for me. Though it did change the error slightly:
before:
'utf8' codec can't decode byte 0x9d in position 13: invalid start byte
after:
[-] 'utf8' codec can't decode byte 0xf5 in position 2: invalid start byte