Bug 1073011

Summary: with ldap.Identity token issueing fails with KeyError on user_ref['name']
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: openstack-keystoneAssignee: Nathan Kinder <nkinder>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.0CC: aberezin, ajeain, apevec, ayoung, breeler, nkinder, yeylon
Target Milestone: rc   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-keystone-2014.1-5.el7ost Doc Type: Bug Fix
Doc Text:
Previously, the LDAP code in Identity was comparing attribute names by using string comparisons. Inconsistent capitalization caused the string comparisons to fail. As a result, two values that should have matched would not match, and binding the LDAP query results to the Python variables would fail with the error "KeyError on user_ref['name']" This has been fixed by doing attribute comparisons with all values forced to lowercase, so that attributes now match even if configuration values do not have consistent capitalization.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-08 15:25:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Giulio Fidente 2014-03-05 15:35:11 UTC 
Description of problem:
after configuring keystone with the ldap backend for Identity and the sql backend for Assignments, user authentication fails with a trace in the logs reporting KeyError on user_ref['name'] (providers/uuid.py)

2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 238, in __call__
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     result = method(context, **params)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 127, in authenticate
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 44, in _wrapper
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/uuid.py", line 364, in issue_v2_token
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     token_ref, roles_ref, catalog_ref)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/uuid.py", line 59, in format_token
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     'name': user_ref['name'],
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi KeyError: 'name'
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi 


Version-Release number of selected component (if applicable):
openstack-keystone-2013.2.2-1.el6ost.noarch


Notes:
issue was found using an active directory as ldap backend, in read-only mode, where user_id_attribute=cn and user_name_attribute=samaccountname
Comment 5 Nathan Kinder 2014-04-11 15:37:51 UTC 
This is actually a Keystone bug, and it's not an invasive change.  I have a patch out for review upstream.  Once it is merged, we can work on getting it backported for Icehouse and RHEL OSP 5.0.
Comment 6 Nathan Kinder 2014-05-27 20:59:03 UTC 
This has been merged upstream for stable/icehouse:

  https://review.openstack.org/#/c/89898/
Comment 16 errata-xmlrpc 2014-07-08 15:25:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0854.html