[Yahoo-eng-team] [Bug 1329891] [NEW] Keystone Not Able to Add Users to AD/Ldap and OpenLdap

Fri, 13 Jun 2014 11:26:38 -0700 

Public bug reported:

I tried to add uses to AD/Ldap through keystone with the following curl command 
-
curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d 
'{"user": {"name": "test7", "password": "Devtest123"}}' 
http://localhost:35357/v3/users

Keystone showed the following stack trace -
 __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713
2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: 
dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s 
/home/leonchio/dev/keystone/keystone/common/ldap/core.py:773
('########## values ########## %s', {'password': 
'{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': 
'1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: 
dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, 
attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), 
('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s 
/home/leonchio/dev/keystone/keystone/common/ldap/core.py:793
2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind 
unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779
2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': "00002081: 
NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match 
of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 
'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent 
call last):
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = 
method(context, **params)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, 
context, *args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in 
create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = 
self.identity_api.create_user(ref['id'], ref)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = f(*args, 
**kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, 
*args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in 
create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = 
driver.create_user(user_id, user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in 
create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     user_ref = 
self.user.create(user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in 
create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     values = 
super(UserApi, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return 
super(EnabledEmuMixIn, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     
conn.add_s(self._id_to_dn(values['id']), attrs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return 
self.conn.add_s(dn_utf8, ldap_attrs_utf8)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return 
self.result(msgid,all=1,timeout=self.timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in 
result2
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     res_type, res_data, 
res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in 
result3
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ldap_result = 
self._ldap_call(self._l.result3,msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in 
_ldap_call
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = 
func(*args,**kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: 
{'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 
0, best match 
of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 
'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi 
2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - 
[13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392

And the similar error happens when adding users to OpenLdap.

Here is what I found out -
AD/Ldap: There are 2 issues cause this bug.
    1.  in core.create(self, values), the param 'values' passes the following 
like what I have from my above debug message
         ('########## values ########## %s', {'password': 
'{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': 
'1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
         this is the list of attributes pass to the AD, except the 'id' 
attribute as it will be stripped in the method. And what the AD does not like 
is the 'enabled' attribute. Stripping it out is 1 of the two fixes.
    2.  in the end of core.create(self, values), there is a call as the 
following -
        conn.add_s(self._id_to_dn(values['id']), attrs)
        self._id_to_dn(values['id']) will return the following -
        cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain
        Somehow this cn got replaced with the 'id' instead of the actual user's 
name which is 'test7' and causes the second issue. And it looks like AD expects 
the cn is the same value of the attritube 'name' in Point 1.

OpenLdap: 
    it has the same issue of Point 1 like AD/Ldap, but it has no issue with 
Point 2.

Summary:
    Stripping out the attribute 'enabled' and make the cn=<attrubute name> will 
fix the issue.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1329891

Title:
  Keystone Not Able to Add Users to AD/Ldap and OpenLdap

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I tried to add uses to AD/Ldap through keystone with the following curl 
command -
  curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d 
'{"user": {"name": "test7", "password": "Devtest123"}}' 
http://localhost:35357/v3/users

  Keystone showed the following stack trace -
   __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713
  2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: 
dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s 
/home/leonchio/dev/keystone/keystone/common/ldap/core.py:773
  ('########## values ########## %s', {'password': 
'{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': 
'1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
  2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: 
dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, 
attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), 
('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s 
/home/leonchio/dev/keystone/keystone/common/ldap/core.py:793
  2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind 
unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779
  2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': 
"00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best 
match 
of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 
'desc': 'Invalid DN syntax'}
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most 
recent call last):
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = 
method(context, **params)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, 
context, *args, **kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in 
create_user
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = 
self.identity_api.create_user(ref['id'], ref)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = f(*args, 
**kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return f(self, 
*args, **kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in 
create_user
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ref = 
driver.create_user(user_id, user)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in 
create_user
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     user_ref = 
self.user.create(user)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in 
create
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     values = 
super(UserApi, self).create(values)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return 
super(EnabledEmuMixIn, self).create(values)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     
conn.add_s(self._id_to_dn(values['id']), attrs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return 
self.conn.add_s(dn_utf8, ldap_attrs_utf8)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     return 
self.result(msgid,all=1,timeout=self.timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in 
result2
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     res_type, 
res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in 
result3
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     ldap_result = 
self._ldap_call(self._l.result3,msgid,all,timeout)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi   File 
"/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in 
_ldap_call
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi     result = 
func(*args,**kwargs)
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: 
{'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 
0, best match 
of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 
'desc': 'Invalid DN syntax'}
  2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi 
  2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - 
[13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392

  And the similar error happens when adding users to OpenLdap.

  Here is what I found out -
  AD/Ldap: There are 2 issues cause this bug.
      1.  in core.create(self, values), the param 'values' passes the following 
like what I have from my above debug message
           ('########## values ########## %s', {'password': 
'{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': 
'1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
           this is the list of attributes pass to the AD, except the 'id' 
attribute as it will be stripped in the method. And what the AD does not like 
is the 'enabled' attribute. Stripping it out is 1 of the two fixes.
      2.  in the end of core.create(self, values), there is a call as the 
following -
          conn.add_s(self._id_to_dn(values['id']), attrs)
          self._id_to_dn(values['id']) will return the following -
          cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain
          Somehow this cn got replaced with the 'id' instead of the actual 
user's name which is 'test7' and causes the second issue. And it looks like AD 
expects the cn is the same value of the attritube 'name' in Point 1.

  OpenLdap: 
      it has the same issue of Point 1 like AD/Ldap, but it has no issue with 
Point 2.

  Summary:
      Stripping out the attribute 'enabled' and make the cn=<attrubute name> 
will fix the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1329891/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to