Public bug reported:
When issuing "openstack user list --group <group_name> --domain
<domain>" command on a domain associated with OpenLDAP, an incorrect
LDAP query is composed and openstack-keystone report error HTTP 500.
OpenLDAP is running on a CentOS 7 host.
Openstack keystone release is Liberty running on a CentOS 7 host.
OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
openstack v: 1.7.2
Keystone log when issuing the command:
LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0
filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s
/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934
When translating the query to ldapsearch returns no results
ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain
-s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain
"(objectClass=posixGroup)"
But with a scope option as subtree, it works fine
ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain
-s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain
"(objectClass=posixGroup)"
So the bug is the scope=0 option parsed by keystone though the
query_scope option in the domain config file is set to sub.
** Affects: keystone
Importance: Undecided
Status: New
** Tags: keystone liberty openldap
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546040
Title:
Group membership lookup failed with error HTTP 500
Status in OpenStack Identity (keystone):
New
Bug description:
When issuing "openstack user list --group <group_name> --domain
<domain>" command on a domain associated with OpenLDAP, an incorrect
LDAP query is composed and openstack-keystone report error HTTP 500.
OpenLDAP is running on a CentOS 7 host.
Openstack keystone release is Liberty running on a CentOS 7 host.
OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12)
openstack v: 1.7.2
Keystone log when issuing the command:
LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0
filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s
/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934
When translating the query to ldapsearch returns no results
ldapsearch -H ldap://<openldapserver> -D
cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b
cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"
But with a scope option as subtree, it works fine
ldapsearch -H ldap://<openldapserver> -D
cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b
cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)"
So the bug is the scope=0 option parsed by keystone though the
query_scope option in the domain config file is set to sub.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546040/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
