Public bug reported: When issuing "openstack user list --group <group_name> --domain <domain>" command on a domain associated with OpenLDAP, an incorrect LDAP query is composed and openstack-keystone report error HTTP 500.
OpenLDAP is running on a CentOS 7 host. Openstack keystone release is Liberty running on a CentOS 7 host. OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) openstack v: 1.7.2 Keystone log when issuing the command: LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934 When translating the query to ldapsearch returns no results ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)" But with a scope option as subtree, it works fine ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)" So the bug is the scope=0 option parsed by keystone though the query_scope option in the domain config file is set to sub. ** Affects: keystone Importance: Undecided Status: New ** Tags: keystone liberty openldap -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1546040 Title: Group membership lookup failed with error HTTP 500 Status in OpenStack Identity (keystone): New Bug description: When issuing "openstack user list --group <group_name> --domain <domain>" command on a domain associated with OpenLDAP, an incorrect LDAP query is composed and openstack-keystone report error HTTP 500. OpenLDAP is running on a CentOS 7 host. Openstack keystone release is Liberty running on a CentOS 7 host. OpenLDAP version: OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) openstack v: 1.7.2 Keystone log when issuing the command: LDAP search: base=cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:934 When translating the query to ldapsearch returns no results ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s one -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)" But with a scope option as subtree, it works fine ldapsearch -H ldap://<openldapserver> -D cn=Manager,dc=<domain>,dc=localdomain -s sub -W -x -b cn=Cloudmembers,ou=Group,dc=<domain>,dc=localdomain "(objectClass=posixGroup)" So the bug is the scope=0 option parsed by keystone though the query_scope option in the domain config file is set to sub. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1546040/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp