We are trying to integrate openstack kilo with the customer active
directory. We followed this steps:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
But we have some issues with users who are defined with Hebrew
distinguished names. The keystone ignores all users data with
base64 encoded.
Digged into the source files, we found that following changes are needed to enable the support:
--- keystone/common/ldap/core.py.orig 2016-07-15 11:13:02.894182008 +0100
+++ keystone/common/ldap/core.py 2016-07-18 10:22:32.958092493 +0100
@@ -13,6 +13,7 @@
# under the License.
import abc
+import base64
import codecs
import functools
import os.path
@@ -117,7 +118,15 @@ def enabled2py(val):
return int(val)
except ValueError:
pass
- return utf8_decode(val)
+ if val is None:
+ return None
+ if val.startswith(': '):
+ try:
+ return utf8_decode(base64.urlsafe_b64decode(val[2:]))
+ except:
+ return utf8_decode(val)
+ else:
+ return utf8_decode(val)
def ldap2py(val):
@@ -129,7 +138,15 @@ def ldap2py(val):
:param val: LDAP formatted value
:returns: val converted to preferred Python type
"""
- return utf8_decode(val)
+ if val is None:
+ return None
+ if val.startswith(': '):
+ try:
+ return utf8_decode(base64.urlsafe_b64decode(val[2:]))
+ except:
+ return utf8_decode(val)
+ else:
+ return utf8_decode(val)
def convert_ldap_result(ldap_result):
I've checked the source in Mitaka, to find this case is not handdled either. Not sure if it's considered of in Newton release.
In general, release kilo,liberty, Mitaka all has this bug.
Do you have any sample input we can use? I'm not sure it's necessary for enabled2py -- that portion is only used to determine if a user is enabled