Public bug reported: I tried to add uses to AD/Ldap through keystone with the following curl command - curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "test7", "password": "Devtest123"}}' http://localhost:35357/v3/users
Keystone showed the following stack trace - __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713 2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:773 ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'}) 2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), ('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:793 2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779 2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'} 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent call last): 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__ 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = method(context, **params) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, context, *args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = self.identity_api.create_user(ref['id'], ref) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = f(*args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, *args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = driver.create_user(user_id, user) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi user_ref = self.user.create(user) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi values = super(UserApi, self).create(values) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).create(values) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi conn.add_s(self._id_to_dn(values['id']), attrs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.conn.add_s(dn_utf8, ldap_attrs_utf8) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.result(msgid,all=1,timeout=self.timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type,res_data,res_msgid = self.result2(msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = func(*args,**kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'} 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi 2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392 And the similar error happens when adding users to OpenLdap. Here is what I found out - AD/Ldap: There are 2 issues cause this bug. 1. in core.create(self, values), the param 'values' passes the following like what I have from my above debug message ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'}) this is the list of attributes pass to the AD, except the 'id' attribute as it will be stripped in the method. And what the AD does not like is the 'enabled' attribute. Stripping it out is 1 of the two fixes. 2. in the end of core.create(self, values), there is a call as the following - conn.add_s(self._id_to_dn(values['id']), attrs) self._id_to_dn(values['id']) will return the following - cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain Somehow this cn got replaced with the 'id' instead of the actual user's name which is 'test7' and causes the second issue. And it looks like AD expects the cn is the same value of the attritube 'name' in Point 1. OpenLdap: it has the same issue of Point 1 like AD/Ldap, but it has no issue with Point 2. Summary: Stripping out the attribute 'enabled' and make the cn=<attrubute name> will fix the issue. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1329891 Title: Keystone Not Able to Add Users to AD/Ldap and OpenLdap Status in OpenStack Identity (Keystone): New Bug description: I tried to add uses to AD/Ldap through keystone with the following curl command - curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "test7", "password": "Devtest123"}}' http://localhost:35357/v3/users Keystone showed the following stack trace - __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713 2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:773 ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'}) 2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['****']), ('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:793 2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779 2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'} 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent call last): 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/wsgi.py", line 207, in __call__ 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = method(context, **params) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/controller.py", line 152, in inner 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, context, *args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/controllers.py", line 276, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = self.identity_api.create_user(ref['id'], ref) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/notifications.py", line 74, in wrapper 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = f(*args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 189, in wrapper 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, *args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/core.py", line 299, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = driver.create_user(user_id, user) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 91, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi user_ref = self.user.create(user) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py", line 231, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi values = super(UserApi, self).create(values) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 996, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).create(values) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 566, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi conn.add_s(self._id_to_dn(values['id']), attrs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/home/leonchio/dev/keystone/keystone/common/ldap/core.py", line 797, in add_s 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.conn.add_s(dn_utf8, ldap_attrs_utf8) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 194, in add_s 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.result(msgid,all=1,timeout=self.timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type,res_data,res_msgid = self.result2(msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = func(*args,**kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi INVALID_DN_SYNTAX: {'info': "00002081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n", 'desc': 'Invalid DN syntax'} 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi 2014-06-13 10:40:50.072 1420 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [13/Jun/2014 10:40:50] "POST /v3/users HTTP/1.1" 500 497 0.065392 And the similar error happens when adding users to OpenLdap. Here is what I found out - AD/Ldap: There are 2 issues cause this bug. 1. in core.create(self, values), the param 'values' passes the following like what I have from my above debug message ('########## values ########## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'}) this is the list of attributes pass to the AD, except the 'id' attribute as it will be stripped in the method. And what the AD does not like is the 'enabled' attribute. Stripping it out is 1 of the two fixes. 2. in the end of core.create(self, values), there is a call as the following - conn.add_s(self._id_to_dn(values['id']), attrs) self._id_to_dn(values['id']) will return the following - cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain Somehow this cn got replaced with the 'id' instead of the actual user's name which is 'test7' and causes the second issue. And it looks like AD expects the cn is the same value of the attritube 'name' in Point 1. OpenLdap: it has the same issue of Point 1 like AD/Ldap, but it has no issue with Point 2. Summary: Stripping out the attribute 'enabled' and make the cn=<attrubute name> will fix the issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1329891/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp