With LDAP as identity backend and user/group name has non-ascii characters like "arc1Össk", when a role is assigned to such user it is failing in below stacktrace. UnicodeEncodeError issue is from python2-pyldap-2.4.35 installed. This issue was fixed in python2-pyldap-2.4.36 release with changes in https://github.com/pyldap/pyldap/pull/95.
Currently stable/pike has global requirement(https://github.com/openstack/requirements/blob/stable/pike/global-requirements.txt#L195) of pyldap>=2.4.20 which needs to be changed to pyldap>=2.4.36.
For more details on the issue, please refer to below links
https://stackoverflow.com/questions/38616020/pyldap-dn-encoding-error
https://github.com/pyldap/pyldap/issues/54
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi [req-8bc17bd4-e821-411d-b496-a75feca8448e 91476076d6686143dff68d08e87358a29daf0725c549008f9c0852d2c7ab8e42 38aa26ac274146778e655c6bcee3de68 - default default] 'ascii' codec can't encode character u'\xd6' in position 10: ordinal not in range(128): UnicodeEncodeError: 'ascii' codec can't encode character u'\xd6' in position 10: ordinal not in range(128)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi result = method(req, **params)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 93, in inner
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi self, f, check_function, request, None, *args, **kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 158, in protected_wrapper
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi check_function(self, request, prep_info, *args, **kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/assignment/controllers.py", line 625, in _check_grant_protection
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi ref['user'] = self.identity_api.get_user(user_id)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", l
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 634, in wrapper
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return func(self, conn, *args, **kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 764, in search_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi attrsonly)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 773, in search_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 1180, in search_ext_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 1118, in _apply_method_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return func(self,*args,**kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 766, in search_ext_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 762, in search_ext
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi timeout,sizelimit,
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 265, in _ldap_call
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi result = func(*args,**kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi UnicodeEncodeError: 'ascii' codec can't encode character u'\xd6' in position 10: ordinal not in range(128)
I don't think global requirements is the problem here. It would appear that this is also an issue in master. Since pyldap is an optional dependency that is managed in setup.cfg, we'll need to bump it there [0]. Then we can discuss the process for backporting this to stable/pike with the stable maintenance team.
[0] https:/ /github. com/openstack/ keystone/ blob/fbce49970c b005986f5e49158 3c07bb3644355b0 /setup. cfg#L27