[SRU] ldap search should not encode attributes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Corey Bryant | ||
Ubuntu Cloud Archive |
Fix Released
|
Critical
|
Unassigned | ||
Rocky |
Fix Released
|
Critical
|
Unassigned | ||
keystone (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Cosmic |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Impact]
Listing user fails with LDAP backend fails
-------
$ openstack user list --debug --domain userdomain
Request returned failure status: 400
('attrs_
Traceback (most recent call last):
File "/home/
result = cmd.run(
File "/home/
return super(Command, self).run(
File "/home/
column_names, data = self.take_
File "/home/
group=group,
File "/home/
return wrapped(*args, **kwargs)
File "/home/
**kwargs)
File "/home/
return f(*args, **new_kwargs)
File "/home/
list_resp = self._list(
File "/home/
resp, body = self.client.
File "/home/
return self.request(url, 'GET', **kwargs)
File "/home/
resp = super(LegacyJso
File "/home/
return self.session.
File "/home/
raise exceptions.
keystoneauth1.
clean_up ListUser: ('attrs_
Traceback (most recent call last):
File "/home/
ret_val = super(OpenStack
File "/home/
result = self.run_
File "/home/
ret_value = super(OpenStack
File "/home/
result = cmd.run(
File "/home/
return super(Command, self).run(
File "/home/
column_names, data = self.take_
File "/home/
group=group,
File "/home/
return wrapped(*args, **kwargs)
File "/home/
**kwargs)
File "/home/
return f(*args, **new_kwargs)
File "/home/
list_resp = self._list(
File "/home/
resp, body = self.client.
File "/home/
return self.request(url, 'GET', **kwargs)
File "/home/
resp = super(LegacyJso
File "/home/
return self.session.
File "/home/
raise exceptions.
keystoneauth1.
END return value: 1
/var/log/
-------
(keystone.
Traceback (most recent call last):
File "/usr/lib/
result = method(req, **params)
File "/usr/lib/
return f(self, request, filters, **kwargs)
File "/usr/lib/
domain_
File "/usr/lib/
__ret_val = __f(*args, **kwargs)
File "/usr/lib/
return f(self, *args, **kwargs)
File "/usr/lib/
return f(self, *args, **kwargs)
File "/usr/lib/
ref_list = self._handle_
File "/usr/lib/
return driver.
File "/usr/lib/
return self.user.
File "/usr/lib/
for user in self.get_all(query, hints)]
File "/usr/lib/
hints=hints)
File "/usr/lib/
return super(EnabledEm
File "/usr/lib/
for x in self._ldap_
File "/usr/lib/
return f(self, hints, *args, **kwargs)
File "/usr/lib/
attrs)
File "/usr/lib/
attrlist_utf8, attrsonly)
File "/usr/lib/
return func(self, conn, *args, **kwargs)
File "/usr/lib/
attrsonly)
File "/usr/lib/
return self.search_
File "/usr/lib/
return self._apply_
File "/usr/lib/
return func(self,
File "/usr/lib/
msgid = self.search_
File "/usr/lib/
timeout,
File "/usr/lib/
result = func(*args,
TypeError: ('attrs_
-------
In search_s() we're still encoding attrlist (note similar behavior in paged_search_s):
attrlist_utf8 = list(map(
Looking closer at the attribute list these all appear to be attribute names and that also appears to be how LDAP searches generally work; they specify attribute names they want to return, not values:
[b'enabled', b'sn', b'userPassword', b'cn', b'description', b'mail']
In Python 3 (and Python2 with bytes_mode=False) python-ldap no longer allows bytes for some fields (DNs, RDNs, attribute names, queries). Instead, text values are represented as str, the Unicode text type.
A prior patch to Keystone's LDAP backend (see commit eca0829c4c65e6b
Changing the above line of code to not utf8 encode the attrlist fixes the problem for me.
[Test Case]
Run charm-keystone-ldap functional tests for OpenStack Rocky or above. Upstream unit tests are also run.
[Regression Potential]
The only regression potential would be for PY2 code paths. PY3 code paths never worked for keystone's LDAP backend. The approach to the patch have purposefully minimized amount of code required and therefore regression potential for PY2. Note that Rocky for Ubuntu supports PY2 but as of Stein Ubuntu has dropped PY2 support.
description: | updated |
Changed in cloud-archive: | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in keystone (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Critical |
summary: |
- ldap search should not encode attributes + [SRU] ldap search should not encode attributes |
description: | updated |
Changed in keystone: | |
assignee: | Corey Bryant (corey.bryant) → Frode Nordahl (fnordahl) |
Changed in keystone: | |
milestone: | none → stein-rc1 |
Changed in keystone: | |
assignee: | Frode Nordahl (fnordahl) → Corey Bryant (corey.bryant) |
Changed in cloud-archive: | |
status: | Triaged → Fix Committed |
Changed in keystone (Ubuntu Cosmic): | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in cloud-archive: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
importance: | Undecided → High |
tags: | added: py3 |
Fix proposed to branch: master /review. openstack. org/643670
Review: https:/