Bug 1099628
| Summary: | LDAP non-URL safe characters cause auth failure | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Christopher J Suleski <csuleski> |
| Component: | openstack-keystone | Assignee: | Nathan Kinder <nkinder> |
| Status: | CLOSED ERRATA | QA Contact: | Udi Kalifon <ukalifon> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 4.0 | CC: | apevec, ayoung, csuleski, ddomingo, dmaley, johfulto, msolberg, nkinder, rbalakri, yeylon |
| Target Milestone: | z5 | Keywords: | ZStream |
| Target Release: | 4.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-keystone-2013.2.3-9.el6ost | Doc Type: | Bug Fix |
| Doc Text: |
When using an LDAP back end, the Identity service failed with a 'Bad search filter' error whenever a token request was made for a user whose ID contained a comma (for example, 'Doe, John'). However, if the user's ID contained no comma ('John Doe'), the Identity service grants token requests as expected.
This was because the LDAP back end code of the Identity server did not properly escape special characters when creating search filters. This update adds the necessary escaping, thereby allowing the Identity server to perform LDAP search operations correctly.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-22 17:22:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Has there been any progress on this bug? (In reply to John Fulton from comment #9) > Has there been any progress on this bug? The issue is fixed in the code upstream and internally and will be in 4.0.z A5 (hence the POST status). Created this user: # Doe\2C John, Users, WIN2012DOM.COM dn: CN=Doe\, John,CN=Users,DC=WIN2012DOM,DC=COM objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Doe, John sn: Doe givenName: John distinguishedName: CN=Doe\, John,CN=Users,DC=WIN2012DOM,DC=COM instanceType: 4 whenCreated: 20141015003049.0Z whenChanged: 20141015003656.0Z displayName: Doe, John uSNCreated: 12893 uSNChanged: 12900 name: Doe, John objectGUID:: 5jUu9e+JVkK8gGjB6r52zw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130578066490943290 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAUEfhSGrUvXLKtVFDUgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: doe_john sAMAccountType: 805306368 userPrincipalName: doe, john objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=WIN2012DOM,DC=COM dSCorePropagationData: 20141015003049.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130578070168286802 keystone user-list +---------------+---------------+---------+--------------------------+ | id | name | enabled | email | +---------------+---------------+---------+--------------------------+ | Administrator | Administrator | True | | | Guest | Guest | False | | | Doe, John | doe_john | True | doe, john | | krbtgt | krbtgt | False | | | Udi Kalifon | ukalifon | True | ukalifon | +---------------+---------------+---------+--------------------------+ I was able to get a v2 and a v3 token, as well as create an rc file for this user and list the above user-list. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1688.html |
Description of problem: Quoting the upstream bug report, see the original for more details: > An Openstack user attempting to integrate Keystone with AD > has reported that when his user contains a comma (full name > CN='Doe, John'), a 'Bad search filter' error is thrown. If > the full name CN is instead 'John Doe', authorization succeeds." Version-Release number of selected component (if applicable): 2013.2.3-4.el6ost Please backport the upstream patch.