** Also affects: keystone/icehouse
Importance: Undecided
Status: New
** Also affects: keystone/kilo
Importance: High
Assignee: Steve Martinelli (stevemar)
Status: In Progress
** Also affects: keystone/juno
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1396763
Title:
user id beginning with 0 cannot authenticate through ldap
Status in OpenStack Identity (Keystone):
In Progress
Status in Keystone icehouse series:
New
Status in Keystone juno series:
New
Status in Keystone kilo series:
In Progress
Bug description:
In the case where the [ldap] user_id_attribute = uid
Lets say a user attempts to authenticate with steve...@example.com,
and the UID returned is 01234567.
The following log entries show that the leading 0 is dropped:
keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2
filterstr=(&(emailAddress=steve...@example.com)(objectClass=person))
attrs=['emailAddress', 'userPassword', 'enabled', 'uid'] attrsonly=0 search_s
/opt/stack/keystone/keystone/common/ldap/core.py:926
keystone.common.ldap.core [-] LDAP unbind unbind_s
/opt/stack/keystone/keystone/common/ldap/core.py:899
keystone.identity.core [-] ID Mapping - Domain ID: default, Default Driver:
True, Domains: False, UUIDs: False, Compatible IDs: True
_set_domain_id_and_mapping /opt/stack/keystone/keystone/identity/core.py:321
keystone.identity.core [-] Local ID: 1234567
_set_domain_id_and_mapping_for_single_ref
/opt/stack/keystone/keystone/identity/core.py:339
keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None
tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization
/opt/stack/keystone/keystone/common/ldap/core.py:575
** here is where the leading 0 is dropped **
keystone.common.ldap.core [-] LDAP search: base=o=example.com scope=2
filterstr=(&(uid=1234567)(objectClass=person)) attrs=['emailAddress',
'userPassword', 'enabled', 'uid'] attrsonly=0 search_s
/opt/stack/keystone/keystone/common/ldap/core.py:926
keystone.common.ldap.core [-] LDAP unbind unbind_s
/opt/stack/keystone/keystone/common/ldap/core.py:899
keystone.common.wsgi [-] Authorization failed. Invalid username or password
(Disable debug mode to suppress these details.)
The main code in question is the following in keystone.common.ldap.core.py
https://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L110-L128
try:
return LDAP_VALUES[val]
except KeyError:
pass
try:
return int(val)
except ValueError:
pass
return utf8_decode(val)
Where we attempt to convert all fields to int, and if it fails proceed
to string.
On a semi-related note: the PyCADF library explicitly expects user_ids
to be strings, so I had to add str() to user_id in the
_get_request_audit_info function, in notifications.py:
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, name=user_id,
host=host)
to
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER,
name=str(user_id), host=host)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1396763/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
