Bug 1130707

Summary: LDAP backend fails when connecting to Active Directory root DN
Product: Red Hat OpenStack Reporter: John Fulton <johfulto>
Component: openstack-keystoneAssignee: Nathan Kinder <nkinder>
Status: CLOSED DUPLICATE QA Contact: Udi Kalifon <ukalifon>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0CC: ayoung, yeylon
Target Milestone: ---   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-17 16:41:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Fulton 2014-08-16 16:16:40 UTC
Description of problem:

This is filed upstream bug 1233365. A strategic customer has run into this problem and I'm requesting that it be back-ported to OSP4. The bug is described here: 


The following is taken from the above bug report:

When using the LDAP backend and connecting to Active Directory, trying to use the root DN (dc=example,dc=com) as the user_tree_dn (or tenant/role_tree_dn) fails with "Authorization Failed: Unable to communicate with identity service: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1', 'desc': 'Operations error'}", "code": 500, "title": "Internal Server Error"}}. (HTTP 500)".

This is because python-ldap chases all referrals with anonymous access, which is disabled by default in AD for security reasons. Adding a line in core.py under ldap.initialize to not chase referrals (self.conn.set_option(ldap.OPT_REFERRALS, 0)) gets around this error, but then we get "AttributeError: 'list' object has no attribute 'iteritems'" in search_s. This is because while the referrals aren't chased, they still show up in the results list. The keystone code can't seem to handle the format the referrals come in. I was able to work around this by adding an if statement before o.append to ignore the referral results (if type(dn) is not NoneType). I also added "from types import *" in the beginning of core.py.

I'm sure this isn't the best workaround for everybody, but in general I think there should be an option in keystone.conf to enable or disable chasing of referrals. If it is disabled, then the previous ldap option should be set and something should be done to remove the referrals from the results list.

If there is more information you need related to this, then please let me know and I will be happy to provide.