Keystone v3 user/tenant lookup by name via OpenStack CLI client fails

When using the openstack CLI client to look up users/tenants by name (e.g., openstack user show admin or openstack openstack project show AdminTenant), it fails with a 500 and the following traceback:

2015-05-12 09:27:22.483530 2015-05-12 09:27:22.483 31012 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=People,dc=local,dc=lan scope=2 filterstr=(&(&None(sn=admin))(objectClass=inetOrgPerson)) attrs=['cn', 'userPassword', 'enabled', 'sn', 'mail'] attrsonly=0 search_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:931
2015-05-12 09:27:22.483677 2015-05-12 09:27:22.483 31012 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:904
2015-05-12 09:27:22.485831 2015-05-12 09:27:22.483 31012 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2015-05-12 09:27:22.485874 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-05-12 09:27:22.485881 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
2015-05-12 09:27:22.485885 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi result = method(context, **params)
2015-05-12 09:27:22.485897 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 202, in wrapper
2015-05-12 09:27:22.485901 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return f(self, context, filters, **kwargs)
2015-05-12 09:27:22.485904 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 223, in list_users
2015-05-12 09:27:22.485908 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi hints=hints)
2015-05-12 09:27:22.485911 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper
2015-05-12 09:27:22.485915 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2015-05-12 09:27:22.485919 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
2015-05-12 09:27:22.485922 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2015-05-12 09:27:22.485926 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
2015-05-12 09:27:22.485930 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2015-05-12 09:27:22.485933 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 791, in list_users
2015-05-12 09:27:22.485937 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi ref_list = driver.list_users(hints)
2015-05-12 09:27:22.485941 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 82, in list_users
2015-05-12 09:27:22.485944 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return self.user.get_all_filtered(hints)
2015-05-12 09:27:22.485948 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 269, in get_all_filtered
2015-05-12 09:27:22.485951 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return [self.filter_attributes(user) for user in self.get_all(query)]
2015-05-12 09:27:22.485964 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1863, in get_all
2015-05-12 09:27:22.485968 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi for x in self._ldap_get_all(ldap_filter)
2015-05-12 09:27:22.485972 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1467, in _ldap_get_all
2015-05-12 09:27:22.485975 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi attrs)
2015-05-12 09:27:22.485979 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 944, in search_s
2015-05-12 09:27:22.485983 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi attrlist_utf8, attrsonly)
2015-05-12 09:27:22.485986 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 541, in search_s
2015-05-12 09:27:22.485995 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi attrlist, attrsonly)
2015-05-12 09:27:22.485999 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 552, in search_s
2015-05-12 09:27:22.486002 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2015-05-12 09:27:22.486009 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 545, in search_ext_s
2015-05-12 09:27:22.486013 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2015-05-12 09:27:22.486017 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 541, in search_ext
2015-05-12 09:27:22.486036 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi timeout,sizelimit,
2015-05-12 09:27:22.486040 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
2015-05-12 09:27:22.486044 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi result = func(*args,**kwargs)
2015-05-12 09:27:22.486047 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
2015-05-12 09:27:22.486050 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi

The LDAP filter string is being composed in a way that causes None to be substituted in at one point: (&(&None(sn=admin))(objectClass=inetOrgPerson))

I traced it through the code and found that the problem method is keystone.common.ldap.core.BaseLdap.filter_query (line 1674 of keystone/common/ldap/core.py on the stable/kilo branch). The method argument query is None by default, which ends up being substituted into the query string later on. Changing the default value of query to an empty string causes things to function as expected.

(I am waiting on internal permission to contribute code, so I haven't created a PR for this at this time.)