AttributeError: 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID' with python-ldap 2.4

Bug #1381768 reported by Matt Fischer on 2014-10-15
38
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Nathan Kinder
Juno
Medium
Yaguang Tang
keystone (Ubuntu)
Undecided
Unassigned

Bug Description

When using LDAP backend with keystone Juno RC2, the following error occurs:

AttributeError: 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID'

It looks like that attribute was removed in python-ldap 2.4 which breaks Ubuntu Trusty and Utopic and probably RHEL7.

More details on this change here in the library are here:

https://mail.python.org/pipermail//python-ldap/2012q1/003105.html

Nathan Kinder (nkinder) on 2014-10-15
Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)

Fix proposed to branch: master
Review: https://review.openstack.org/128782

Changed in keystone:
status: New → In Progress
Nathan Kinder (nkinder) wrote :

Here are a few details about this issue that may help anyone encountering it before a fix is available in an actual release:

This issue is only triggered if the LDAP simple paged results control is being used. The use of this control can be avoided by disabling paging in keystone. This is done as follows in keystone.conf:

-----------------
[ldap]
...
page_size=0
-----------------

Note that disabling paging may be problematic if you have a large number of users in your LDAP server, as you could encounter LDAP search limits when performing operations such as listing users in Keystone. An alternative workaround if paging support is needed is to downgrade python-ldap to 2.3.x until such time that a fix is made available for Keystone.

Matt Fischer (mfisch) wrote :

I'll also note that 0 seems to be the default if you leave it commented out. However in my case I need to have it enabled or I get a size limit exceeded error from my server.

Yaguang Tang (heut2008) on 2014-10-16
tags: added: icehouse-backport-potential
Changed in keystone:
importance: Undecided → Medium

Reviewed: https://review.openstack.org/128782
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1be4a15454e6917571bc937e3bb3589e8f79bc55
Submitter: Jenkins
Branch: master

commit 1be4a15454e6917571bc937e3bb3589e8f79bc55
Author: Nathan Kinder <email address hidden>
Date: Wed Oct 15 15:39:55 2014 -0700

    Use newer python-ldap paging control API

    The API for using the LDAP simple paged results control changed
    between python-ldap version 2.3 and 2.4. Our current implementation
    fails with an AttributeError when trying to use paging with version
    2.4 of python-ldap.

    This patch detects the capabilities of the underlying python-ldap
    version and uses the newer API in versions of python-ldap that have
    removed the older API.

    Change-Id: I2986e12daea3edf50f299af5927d2a05278e82f7
    Closes-bug: #1381768

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/129770
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=db291b340e63b74d8d240abfc37d03fb163f33f1
Submitter: Jenkins
Branch: stable/juno

commit db291b340e63b74d8d240abfc37d03fb163f33f1
Author: Nathan Kinder <email address hidden>
Date: Wed Oct 15 15:39:55 2014 -0700

    Use newer python-ldap paging control API

    The API for using the LDAP simple paged results control changed
    between python-ldap version 2.3 and 2.4. Our current implementation
    fails with an AttributeError when trying to use paging with version
    2.4 of python-ldap.

    This patch detects the capabilities of the underlying python-ldap
    version and uses the newer API in versions of python-ldap that have
    removed the older API.

    Change-Id: I2986e12daea3edf50f299af5927d2a05278e82f7
    Closes-bug: #1381768
    (cherry picked from commit 1be4a15454e6917571bc937e3bb3589e8f79bc55)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in keystone (Ubuntu):
status: New → Confirmed
Mike Dorman (mdorman-m) wrote :

+1 on would like this backported to Icehouse.

Dolph Mathews (dolph) wrote :

This isn't easily backportable to icehouse, as LDAP core has changed significantly since. Anyone interested in tackling that?

Morgan Fainberg (mdrnstm) wrote :

I am afraid this would be a really ugly back port to Icehouse. If someone wants to take this on, I'd be happy to see it happen, but I know it'll be a large volume of work.

Changed in keystone:
milestone: none → kilo-1
Mike Dorman (mdorman-m) wrote :

The above patch is what I'm running locally against Icehouse. It does not seem that complicated, unless I am missing something major. I did briefly look at the cherry-pick, and that is quite a bit different. The the above is working well for us.

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Thierry Carrez (ttx) on 2014-12-17
Changed in keystone:
status: Fix Committed → Fix Released

Change abandoned by Mike Dorman (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/136659
Reason: I've upgraded to Juno so am no longer pursuing this backport to Icehouse.

Change abandoned by Eric Brown (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/151134
Reason: I was interested in getting the LDAP paging support in Icehouse, but I'm now okay to just move up to Juno.

James Page (james-page) wrote :

Marking fix releases as we have both kilo and juno point release in Ubuntu now.

Changed in keystone (Ubuntu):
status: Confirmed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers