OpenStack Identity (keystone)

When user in AD doesn't have ID field all user handlers error out

Bug #1478579 reported by Victor Denisov
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Boris Bobrov
OpenStack Identity (keystone) 8.0.0 "liberty"

Bug Description

We have keystone integrated with AD.

'user_id_attribute' is set to 'info'. So, when our users first get created in AD, they don't always have this field populated. When a user does not have a populated 'info' attribute, all keystone queries fail, not just queries or rows containing that user.

Jul 7 14:02:12 node-38 keystone-all ID attribute info not found in LDAP object <AD CN Object here>

Some examples of how I see keystone should be have in this situation:

List all users - list only correct users and ignore invalid.

Authenticate invalid user - this request should not be authenticated.

Dolph Mathews (dolph)
tags: added: ldap
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Andrey Epifanov (aepifanov) wrote :

It looks like BaseLdap.get_all method in keystone.common.ldap.core should be fixed. If _ldap_res_to_model fails we shouldn't pass exception through but just skip failing item and move on.

Boris Bobrov (bbobrov)
Changed in keystone:
assignee: nobody → Boris Bobrov (bbobrov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207960

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/211088

Revision history for this message
Dolph Mathews (dolph) wrote :

I assume this is an issue in Kilo as well? The solution certainly looks backportable.

tags: added: kilo-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/211088
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5f309750df32dc8e6d3c851e5c6e7ddd89cd8878
Submitter: Jenkins
Branch: master

commit 5f309750df32dc8e6d3c851e5c6e7ddd89cd8878
Author: Boris Bobrov <email address hidden>
Date: Mon Aug 10 13:17:15 2015 +0300

    Expose exception due to missing id of LDAP entity

    There are cases when users get created in AD and don't always have
    `user_id_attribute` field populated because it is only a requirement for
    Openstack in the environment. When a user does not have a populated
    `user_id_attribute`, all keystone queries fail, not just queries or rows
    containing that user.

    Show that the exception occurs and get_all fails.

    Change-Id: Iac623f3a86d5c55d82d386048b1f908f59193e42
    Partial-Bug: 1478579

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/207960
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d796a5f19dae024fe7921aab463883ba93a92b77
Submitter: Jenkins
Branch: master

commit d796a5f19dae024fe7921aab463883ba93a92b77
Author: Boris Bobrov <email address hidden>
Date: Mon Aug 10 13:20:12 2015 +0300

    Prevent exception due to missing id of LDAP entity

    There are cases when users get created in AD and don't always have
    `user_id_attribute` field populated because it is only a requirement for
    Openstack in the environment. When a user does not have a populated
    `user_id_attribute`, all keystone queries fail, not just queries or rows
    containing that user.

    Fix the query to LDAP to fetch only entries that have id assigned.

    Change-Id: I0c7de36808ca6081ffc55a188a4583ddb5712bee
    Closes-Bug: 1478579

Doug Hellmann (doug-hellmann)
Changed in keystone:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-3 → 8.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.