LDAP fails with paging support, "Critical extension is unavailable" 500 error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Unassigned | ||
Icehouse |
Won't Fix
|
Low
|
Unassigned |
Bug Description
Keystone raises a 500 error when trying to use paging on an LDAP server that doesn't support it (by setting [ldap] page_size to a non-zero integer)
# keystone user-list
An unexpected error prevented the server from fulfilling your request. {'desc': 'Critical extension is unavailable'} (HTTP 500)
And this is the keystone.log traceback:
2014-08-18 10:48:09.684 21606 ERROR keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
2014-08-18 10:48:09.684 21606 TRACE keystone.
IMHO, there should be a better error message and no 500 error should be raised.
tags: | added: ldap |
tags: | added: icehouse-backport-potential |
Changed in keystone: | |
status: | New → Confirmed |
tags: | removed: icehouse-backport-potential |
summary: |
- LDAP Critical extension is unavailable 500 error + LDAP fails with paging support, "Critical extension is unavailable" 500 + error |
Ionut,
There seems to be a better error message in the code. Judging by the trace provided this isn't running on the latest Keystone. What version are you seeing this with? I think the version you're running with predates the LDAP refactor [1], which improves that error message and it's much more descriptive [2].
I would suggest updating if you can and see if you can recreate the issue.
If the call still fails in _paged_search_s [3], then we should think about wrapping it in a try/except and handling it that way.
[1] https:/ /github. com/openstack/ keystone/ commit/ ebb59a75cecc71c a7cc137e16056a4 c8b513fd8d /github. com/openstack/ keystone/ blob/2e4977076c 6a48a472ff227c8 5f7e150438029ca /keystone/ common/ ldap/core. py#L988- L990 /github. com/openstack/ keystone/ blob/2e4977076c 6a48a472ff227c8 5f7e150438029ca /keystone/ common/ ldap/core. py#L967
[2] https:/
[3] https:/