user id beginning with 0 cannot authenticate through ldap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Steve Martinelli | ||
Icehouse |
Won't Fix
|
High
|
Unassigned | ||
Juno |
Fix Released
|
High
|
Richard Megginson |
Bug Description
In the case where the [ldap] user_id_attribute = uid
Lets say a user attempts to authenticate with <email address hidden>, and the UID returned is 01234567.
The following log entries show that the leading 0 is dropped:
keystone.
keystone.
keystone.
keystone.
keystone.
** here is where the leading 0 is dropped **
keystone.
keystone.
keystone.
The main code in question is the following in keystone.
https:/
try:
return LDAP_VALUES[val]
except KeyError:
pass
try:
return int(val)
except ValueError:
pass
return utf8_decode(val)
Where we attempt to convert all fields to int, and if it fails proceed to string.
On a semi-related note: the PyCADF library explicitly expects user_ids to be strings, so I had to add str() to user_id in the _get_request_
initiator = resource.
to
initiator = resource.
description: | updated |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Steve Martinelli (stevemar) |
status: | Confirmed → In Progress |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
no longer affects: | keystone/kilo |
Reviewed: https:/ /review. openstack. org/137449 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=474271683f5 e44c6253b751020 26cc8578c10d06
Committed: https:/
Submitter: Jenkins
Branch: master
commit 474271683f5e44c 6253b75102026cc 8578c10d06
Author: Steve Martinelli <email address hidden>
Date: Wed Nov 26 14:12:01 2014 -0500
User ids that begin with 0 cannot authenticate through ldap
Currently, in the ldap2py function, several fields are attempted
to be converted to python friendly types.
In doing so, an attempt to convert a field to int() is attempted,
but in some cases, a user id may begin with a 0. When the user
attempts to authenticate, they will be rejected since any additional
query will use the id without the 0 in front.
Closes-Bug: #1396763
Change-Id: I1e2436b845e534 f6cdb0398b5cca1 7d8502b905f