enabled emulation query must filter tree dn

Bug #1532345 reported by Brant Knudson on 2016-01-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Brant Knudson

Bug Description

If the user_tree_dn is set to something like cn=foo)bar and enabled emulation is enabled, the filter that's used to find the user in the enabled emulation entry is invalid. The filter will be like "(member=cn=user_id,cn=foo)bar)", which is invalid since the ) in foo)bar terminates the () in the filter. The ) needs to be escaped when used in a filter.

I assume an exception would be raised so user operations (like getting a token) would result in a 500.

While it's unlikely that anybody would actually configure their system this way, might as well fix it.

Brant Knudson (blk-u) on 2016-01-08
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)

Fix proposed to branch: master
Review: https://review.openstack.org/265462

Changed in keystone:
status: New → In Progress

Reviewed: https://review.openstack.org/265462
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0cb49925e48238ccab662f1aa4042562625861bf
Submitter: Jenkins
Branch: master

commit 0cb49925e48238ccab662f1aa4042562625861bf
Author: Brant Knudson <email address hidden>
Date: Fri Jan 8 16:38:08 2016 -0600

    Test enabled emulation with special user_tree_dn

    When the enabled emulation is enabled and the user_tree_dn contains
    a special filter character such as ")", the filter that gets built
    is invalid. A test is added that shows the behavior is incorrect.

    Change-Id: I161d244a55083b27f9b228b29c6668aa43d4bfc9
    Partial-Bug: 1532345

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/262334
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=eeddfb8ffac00c0110cc8a1de5e07bb359f6d6e3
Submitter: Jenkins
Branch: master

commit eeddfb8ffac00c0110cc8a1de5e07bb359f6d6e3
Author: Brant Knudson <email address hidden>
Date: Tue Dec 29 17:54:30 2015 -0600

    Escape DN in enabled query

    Values in LDAP filter strings need to be escaped. The DN in the
    enabled query wasn't being escaped so it might cause an invalid
    query to be done.

    Closes-Bug: 1532345
    Change-Id: Ia97297b5919351f4710ab39af6f3be9623a83976

Changed in keystone:
milestone: none → mitaka-2
importance: Undecided → Medium

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/274441

Reviewed: https://review.openstack.org/274437
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=690191d21d982b4f25c9348c0b46f0c9cd9c5590
Submitter: Jenkins
Branch: stable/liberty

commit 690191d21d982b4f25c9348c0b46f0c9cd9c5590
Author: Brant Knudson <email address hidden>
Date: Fri Jan 8 16:38:08 2016 -0600

    Test enabled emulation with special user_tree_dn

    When the enabled emulation is enabled and the user_tree_dn contains
    a special filter character such as ")", the filter that gets built
    is invalid. A test is added that shows the behavior is incorrect.

    Change-Id: I161d244a55083b27f9b228b29c6668aa43d4bfc9
    Partial-Bug: 1532345
    (cherry picked from commit 0cb49925e48238ccab662f1aa4042562625861bf)

tags: added: in-stable-liberty

Reviewed: https://review.openstack.org/274441
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1f37f71088ab6fd148c7f456ea6cf3c7a87703a4
Submitter: Jenkins
Branch: stable/liberty

commit 1f37f71088ab6fd148c7f456ea6cf3c7a87703a4
Author: Brant Knudson <email address hidden>
Date: Tue Dec 29 17:54:30 2015 -0600

    Escape DN in enabled query

    Values in LDAP filter strings need to be escaped. The DN in the
    enabled query wasn't being escaped so it might cause an invalid
    query to be done.

    Closes-Bug: 1532345
    Change-Id: Ia97297b5919351f4710ab39af6f3be9623a83976
    (cherry picked from commit eeddfb8ffac00c0110cc8a1de5e07bb359f6d6e3)

This issue was fixed in the openstack/keystone 8.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers