OpenStack Identity (keystone)

user id beginning with 0 cannot authenticate through ldap

Bug #1396763 reported by Steve Martinelli on 2014-11-26

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	High	Steve Martinelli	OpenStack Identity (keystone) 2015.1.0 "kilo"
Icehouse	Won't Fix	High	Unassigned
Juno	Fix Released	High	Richard Megginson	OpenStack Identity (keystone) 2014.2.2

Bug Description

In the case where the [ldap] user_id_attribute = uid

Lets say a user attempts to authenticate with <email address hidden>, and the UID returned is 01234567.

The following log entries show that the leading 0 is dropped:

keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(<email address hidden>)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
keystone.identity.core [-] ID Mapping - Domain ID: default, Default Driver: True, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /opt/stack/keystone/keystone/identity/core.py:321
keystone.identity.core [-] Local ID: 1234567 _set_domain_id_and_mapping_for_single_ref /opt/stack/keystone/keystone/identity/core.py:339
keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /opt/stack/keystone/keystone/common/ldap/core.py:575

** here is where the leading 0 is dropped **

keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2 filterstr=(&(uid=1234567)(objectClass=person)) attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s /opt/stack/keystone/keystone/common/ldap/core.py:926
keystone.common.ldap.core [-] LDAP unbind unbind_s /opt/stack/keystone/keystone/common/ldap/core.py:899
keystone.common.wsgi [-] Authorization failed. Invalid username or password (Disable debug mode to suppress these details.)

The main code in question is the following in keystone.common.ldap.core.py
https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L110-L128

    try:
        return LDAP_VALUES[val]
    except KeyError:
        pass
    try:
        return int(val)
    except ValueError:
        pass
    return utf8_decode(val)

Where we attempt to convert all fields to int, and if it fails proceed to string.

On a semi-related note: the PyCADF library explicitly expects user_ids to be strings, so I had to add str() to user_id in the _get_request_audit_info function, in notifications.py:

  initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=user_id, host=host)
    to
  initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=str(user_id), host=host)

See original description

Steve Martinelli (stevemar) on 2014-11-26

description:	updated
Changed in keystone:
status:	New → Confirmed
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2014-11-26

Changed in keystone:
assignee:	nobody → Steve Martinelli (stevemar)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-08: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/137449
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=474271683f5e44c6253b75102026cc8578c10d06
Submitter: Jenkins
Branch: master

commit 474271683f5e44c6253b75102026cc8578c10d06
Author: Steve Martinelli <email address hidden>
Date: Wed Nov 26 14:12:01 2014 -0500

User ids that begin with 0 cannot authenticate through ldap

Currently, in the ldap2py function, several fields are attempted
to be converted to python friendly types.

    In doing so, an attempt to convert a field to int() is attempted,
    but in some cases, a user id may begin with a 0. When the user
    attempts to authenticate, they will be rejected since any additional
    query will use the id without the 0 in front.

Closes-Bug: #1396763

Change-Id: I1e2436b845e534f6cdb0398b5cca17d8502b905f

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-12-17

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-24: Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/149807

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-25: Change abandoned on keystone (stable/juno)

Change abandoned by Richard Megginson (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/149807
Reason: Had to rework the commit - see https://review.openstack.org/149854

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-28: Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/149807
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9a843eafc4712fc0685c65f9f7946a29f8b092e
Submitter: Jenkins
Branch: stable/juno

commit a9a843eafc4712fc0685c65f9f7946a29f8b092e
Author: Steve Martinelli <email address hidden>
Date: Wed Nov 26 14:12:01 2014 -0500

User ids that begin with 0 cannot authenticate through ldap

Currently, in the ldap2py function, several fields are attempted
to be converted to python friendly types.

Closes-Bug: #1396763

Change-Id: I1e2436b845e534f6cdb0398b5cca17d8502b905f
(cherry picked from commit 474271683f5e44c6253b75102026cc8578c10d06)

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-1 → 2015.1.0

Thierry Carrez (ttx) on 2015-04-30

no longer affects:

keystone/kilo

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1391592

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.