Public bug reported:
An Openstack user attempting to integrate Keystone with AD has reported
that when his user contains a comma (full name CN='Doe, John'), a 'Bad
search filter' error is thrown. If the full name CN is instead 'John
Doe', authorization succeeds.
dpkg -l |grep keystone
ii keystone 1:2013.2.2-0ubuntu1~cloud0
OpenStack identity service - Daemons
ii python-keystone 1:2013.2.2-0ubuntu1~cloud0
OpenStack identity service - Python library
ii python-keystoneclient 1:0.3.2-0ubuntu1~cloud0
Client library for OpenStack Identity API
Relevant error message:
Authorization Failed: An unexpected error prevented the server from fulfilling
your request. {'desc': 'Bad search filter'} (HTTP 500)
Relevant stack trace:
2014-03-31 15:44:27.459 3018 ERROR keystone.common.wsgi [-] {'desc': 'Bad
search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi Traceback (most recent
call last):
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in
__call__
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result =
method(context, **params)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 94, in
authenticate
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi context, auth)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 272, in
_authenticate_local
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 369, in
_get_project_roles_and_ref
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 475, in
get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id, tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 160, in
get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_role_list =
_get_group_project_roles(user_id, project_ref)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 111, in
_get_group_project_roles
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_refs =
self.identity_api.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 177, in
wrapper
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return f(self,
*args, **kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 425, in
list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_list =
driver.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line
154, in list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return
self.group.list_user_groups(user_dn)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line
334, in list_user_groups
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi memberships =
self.get_all(query)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 388, in
get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi for x in
self._ldap_get_all(filter)]
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 364, in
_ldap_get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi
self.attribute_mapping.values())
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in
search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi res =
self.conn.search_s(dn, scope, query, attrlist)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return
self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 495, in search_ext_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi msgid =
self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 491, in search_ext
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi timeout,sizelimit,
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result =
func(*args,**kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi FILTER_ERROR: {'desc':
'Bad search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi
** Affects: keystone
Importance: Undecided
Status: New
** Tags: ldap
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1302106
Title:
LDAP non-URL safe characters cause auth failure
Status in OpenStack Identity (Keystone):
New
Bug description:
An Openstack user attempting to integrate Keystone with AD has
reported that when his user contains a comma (full name CN='Doe,
John'), a 'Bad search filter' error is thrown. If the full name CN is
instead 'John Doe', authorization succeeds.
dpkg -l |grep keystone
ii keystone 1:2013.2.2-0ubuntu1~cloud0
OpenStack identity service - Daemons
ii python-keystone 1:2013.2.2-0ubuntu1~cloud0
OpenStack identity service - Python library
ii python-keystoneclient 1:0.3.2-0ubuntu1~cloud0
Client library for OpenStack Identity API
Relevant error message:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500)
Relevant stack trace:
2014-03-31 15:44:27.459 3018 ERROR keystone.common.wsgi [-] {'desc': 'Bad
search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi Traceback (most
recent call last):
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in
__call__
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result =
method(context, **params)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 94, in
authenticate
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi context, auth)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 272, in
_authenticate_local
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id,
tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 369, in
_get_project_roles_and_ref
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id,
tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 475, in
get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi user_id,
tenant_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 160, in
get_roles_for_user_and_project
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_role_list =
_get_group_project_roles(user_id, project_ref)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/assignment/core.py", line 111, in
_get_group_project_roles
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_refs =
self.identity_api.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 177, in
wrapper
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return f(self,
*args, **kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 425, in
list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi group_list =
driver.list_groups_for_user(user_id)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line
154, in list_groups_for_user
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return
self.group.list_user_groups(user_dn)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line
334, in list_user_groups
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi memberships =
self.get_all(query)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 388, in
get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi for x in
self._ldap_get_all(filter)]
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 364, in
_ldap_get_all
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi
self.attribute_mapping.values())
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in
search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi res =
self.conn.search_s(dn, scope, query, attrlist)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi return
self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 495, in search_ext_s
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi msgid =
self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 491, in search_ext
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi timeout,sizelimit,
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi result =
func(*args,**kwargs)
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi FILTER_ERROR:
{'desc': 'Bad search filter'}
2014-03-31 15:44:27.459 3018 TRACE keystone.common.wsgi
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1302106/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
