OpenStack Identity (keystone)

Group lookup by name in LDAP via v3 fails

Bug #1468000 reported by Michael Tupitsyn on 2015-06-23

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Guang Yee	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Fix Released	Medium	Brant Knudson	OpenStack Identity (keystone) 2015.1.3

Bug Description

This bug is similar to https://bugs.launchpad.net/keystone/+bug/1454309 but relates to groups. When issuing an "openstack group show <group_name>" command on a domain associated with LDAP, invalid LDAP query is composed and Keystone returns ISE 500:

$ openstack --os-token ADMIN --os-url http://localhost:35357/v3 --os-identity-api-version 3 group show --domain ad 'Domain Admins'
ERROR: openstack An unexpected error prevented the server from fulfilling your request: {'desc': 'Bad search filter'} (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-06fd5907-6ade-4872-95ab-e66f0809986a)

Here's the log:

2015-06-23 15:59:41.627 8571 DEBUG keystone.common.ldap.core [-] LDAP search: base=CN=Users,DC=dept,DC=example,DC=org scope=2 filterstr=(&(&None(sAMAccountName=Domain Admins))(objectClass=group)) attrs=['cn', 'sAMAccountName', 'description'] attrsonly=0 search_s /home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py:933
2015-06-23 15:59:41.628 8571 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py:906
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi Traceback (most recent call last):
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/wsgi.py", line 240, in __call__
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi result = method(context, **params)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/controller.py", line 202, in wrapper
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return f(self, context, filters, **kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/identity/controllers.py", line 310, in list_groups
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi hints=hints)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/manager.py", line 54, in wrapper
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return f(self, *args, **kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/identity/core.py", line 342, in wrapper
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return f(self, *args, **kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/identity/core.py", line 353, in wrapper
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return f(self, *args, **kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/identity/core.py", line 1003, in list_groups
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi ref_list = driver.list_groups(hints)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 164, in list_groups
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return self.group.get_all_filtered(hints)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 402, in get_all_filtered
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi for group in self.get_all(query)]
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1507, in get_all
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi for x in self._ldap_get_all(ldap_filter)]
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1469, in _ldap_get_all
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi attrs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 946, in search_s
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi attrlist_utf8, attrsonly)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 642, in wrapper
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return func(self, conn, *args, **kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 772, in search_s
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi attrsonly)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 559, in search_s
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 920, in search_ext_s
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 862, in _apply_method_s
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi return func(self,*args,**kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 552, in search_ext_s
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 548, in search_ext
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi timeout,sizelimit,
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi File "/home/vagrant/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi result = func(*args,**kwargs)
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
2015-06-23 15:59:41.628 8571 ERROR keystone.common.wsgi
2015-06-23 15:59:41.650 8571 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [23/Jun/2015 15:59:41] "GET /v3/groups?domain_id=a225c3b5b4af44a2964b7f941538bc45&name=Domain+Admins HTTP/1.1" 500 459 0.104950

Bug is reproduced on current keystone master (Liberty).

OpenStack Infra (hudson-openstack) on 2015-06-23

Changed in keystone:
assignee:	nobody → Michael Tupitsyn (mikhail-tupitsyn)
status:	New → In Progress

Steve Martinelli (stevemar) on 2015-06-23

Changed in keystone:
importance:	Undecided → Medium
milestone:	none → liberty-1

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	liberty-1 → liberty-2

OpenStack Infra (hudson-openstack) on 2015-06-29

Changed in keystone:
assignee:	Michael Tupitsyn (mikhail-tupitsyn) → Guang Yee (guang-yee)

Revision history for this message

Henry Nash (henry-nash) wrote on 2015-07-15:

Guang - I just had to provide a patch for this to one of our products, so I have the fix - do you want me to take this and push up the patch?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-21: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/194733
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef37e2748d117ded3fa7279496f468fd65daf40c
Submitter: Jenkins
Branch: master

commit ef37e2748d117ded3fa7279496f468fd65daf40c
Author: Michael Tupitsyn <email address hidden>
Date: Tue Jun 23 09:23:10 2015 -0700

Fix for LDAP filter on group search by name

    This fixes an invalid LDAP filter constructed by Keystone on v3 group
    show command (i.e. search group by name). Similar to bug
    https://bugs.launchpad.net/keystone/+bug/1454309 but relates to groups.

Change-Id: Iae5d539cd0dc032b6126c50a6ba4c8100254edd5
Closes-Bug: 1468000

Changed in keystone:
status:	In Progress → Fix Committed

Lin Hua Cheng (lin-hua-cheng) on 2015-07-21

tags:

added: kilo-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-24: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/205595

Alan Pevec (apevec) on 2015-07-24

tags:

removed: kilo-backport-potential

Doug Hellmann (doug-hellmann) on 2015-07-29

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-07: Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/205595
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=666be4d0c167f879c4d2f0f9a805d5ee9f7dcb13
Submitter: Jenkins
Branch: stable/kilo

commit 666be4d0c167f879c4d2f0f9a805d5ee9f7dcb13
Author: Michael Tupitsyn <email address hidden>
Date: Tue Jun 23 09:23:10 2015 -0700

Fix for LDAP filter on group search by name

    Change-Id: Iae5d539cd0dc032b6126c50a6ba4c8100254edd5
    Closes-Bug: 1468000
    (cherry picked from commit ef37e2748d117ded3fa7279496f468fd65daf40c)

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-2 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1470570

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.