Cannot create a user with LDAP backend

Bug #1231772 reported by Brant Knudson on 2013-09-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Brant Knudson

Bug Description

When running Keystone with the LDAP identity backend, creating a user fails with 400 and "must be string, not None"

Set up devstack to use LDAP.

While devstack is running commands fail, like this:

keystone user-create --name=nova --pass=mypwd --tenant_id 948d57ba2523423e96ca2f98c29973a8 --<email address hidden>

Here's the error in the Keystone log:

(keystone.common.ldap.core): 2013-09-26 21:10:35,701 DEBUG core add_s LDAP add: dn=cn=591959d3f2cd42d09230789af9504e12,ou=Users,dc=openstack,dc=org, attrs=[('objectClass', ['person', 'inetOrgPerson']), ('sn', ['nova']), ('userPassword', ['****']), (None, ['948d57ba2523423e96ca2f98c29973a8'])]

(keystone.common.wsgi): 2013-09-26 21:10:35,702 ERROR wsgi __call__ must be string, not None
Traceback (most recent call last):
  File "/opt/stack/keystone/keystone/common/", line 238, in __call__
    result = method(context, **params)
  File "/opt/stack/keystone/keystone/identity/", line 214, in create_user
    self.identity_api.create_user(user_id, user_ref))
  File "/opt/stack/keystone/keystone/", line 44, in wrapper
    result = f(*args, **kwargs)
  File "/opt/stack/keystone/keystone/identity/", line 177, in wrapper
    return f(self, *args, **kwargs)
  File "/opt/stack/keystone/keystone/identity/", line 322, in create_user
    ref = driver.create_user(user_id, user)
  File "/opt/stack/keystone/keystone/identity/backends/", line 95, in create_user
    user_ref = self.user.create(user)
  File "/opt/stack/keystone/keystone/identity/backends/", line 229, in create
    values = super(UserApi, self).create(values)
  File "/opt/stack/keystone/keystone/common/ldap/", line 730, in create
    return super(EnabledEmuMixIn, self).create(values)
  File "/opt/stack/keystone/keystone/common/ldap/", line 328, in create
    conn.add_s(self._id_to_dn(values['id']), attrs)
  File "/opt/stack/keystone/keystone/common/ldap/", line 551, in add_s
    return self.conn.add_s(dn, ldap_attrs)
  File "/usr/lib/python2.7/dist-packages/ldap/", line 193, in add_s
    msgid = self.add(dn,modlist)
  File "/usr/lib/python2.7/dist-packages/ldap/", line 190, in add
    return self.add_ext(dn,modlist,None,None)
  File "/usr/lib/python2.7/dist-packages/ldap/", line 176, in add_ext
    return self._ldap_call(self._l.add_ext,dn,modlist,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))
  File "/usr/lib/python2.7/dist-packages/ldap/", line 96, in _ldap_call
    result = func(*args,**kwargs)
TypeError: must be string, not None

Also, the error should be 500 Internal Server Error and not 400 Bad Request.

Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
status: New → In Progress

Related fix proposed to branch: master

Dolph Mathews (dolph) on 2013-09-27
Changed in keystone:
importance: Undecided → High
milestone: none → havana-rc1

Submitter: Jenkins
Branch: master

commit 5db7c43f4f14aaf0899a365d8c5683301a0479c3
Author: Brant Knudson <email address hidden>
Date: Thu Sep 26 21:24:00 2013 -0500

    Fix error when create user with LDAP backend

    Creating users would fail when using the LDAP backend. The error
    from the server was '400 Bad Request' with the message
    'must be string, not None'.

    The fix is to filter out 'None' attr names when creating a user.

    Closes-Bug: #1231772

    Change-Id: I747f39039b9c840a3e5861b66996dee328510cd6

Changed in keystone:
status: In Progress → Fix Committed

Submitter: Jenkins
Branch: master

commit 1db2618601b38587a0b6eb3e1790a1c2de994000
Author: Morgan Fainberg <email address hidden>
Date: Thu Sep 26 19:41:26 2013 -0700

    Eliminate type error on search_s

    Guard the list comprehension to eliminate 'None' valued keys from
    the attrlist from causing an exception when trying to iterate on
    the None singleton.

    related-bug: #1231772
    Change-Id: I823a53d100b5e4210c767507e3233b61ed372068

Submitter: Jenkins
Branch: master

commit 333d49738434f7642f0a42edfabdd86eb6bc789e
Author: Brant Knudson <email address hidden>
Date: Thu Sep 26 22:36:22 2013 -0500

    Fix live LDAP tests

    The live LDAP tests were failing. The tests for case
    sensitivity for project name and user name failed because the
    attribute is not case sensitive. The test for updating a
    missing attribute with a falsy value was failing because the
    attribute chosen for the project description does not allow an
    empty string.

    Change-Id: I723c40b5eab24ac13e27fd040d0d881998f106db
    Related-Bug: #1231772

Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers