Bug 1153131

Summary: LDAP paged searches don't work with python-ldap 2.4
Product: [Community] RDO Reporter: Bruno Bompastor <b.bompastor>
Component: openstack-keystoneAssignee: Alan Pevec (Fedora) <apevec>
Status: CLOSED CURRENTRELEASE QA Contact: Udi Kalifon <ukalifon>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: apevec, apevec, ayoung, b.bompastor, nkinder, yeylon
Target Milestone: ---   
Target Release: Juno   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1153695 (view as bug list) Environment:
Last Closed: 2015-03-19 22:52:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1153695    

Description Bruno Bompastor 2014-10-15 16:26:27 UTC 
Description of problem:

Keystone juno-rc2 needs python-ldap 2.3 for ldap identity. Centos7 comes with python-ldap 2.4

Version-Release number of selected component (if applicable):

- openstack-keystone.noarch                   2014.2-0.6rc2.el7.centos   @openstack-juno
- python-ldap.x86_64                          2.4.6-6.el7                @base
- CentOS 7


Steps to Reproduce:
1. Configure keystone to use ldap
2. keystone user-list

Actual results:

2014-10-15 18:01:42.877 7294 ERROR keystone.common.wsgi [-] 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID'
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 223, in __call__
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     result = method(context, **params)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 100, in authenticate
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     context, auth)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 287, in _authenticate_local
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     username, CONF.identity.default_domain_id)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 202, in wrapper
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 213, in wrapper
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 600, in get_user_by_name
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     ref = driver.get_user_by_name(user_name, domain_id)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 87, in get_user_by_name
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     return self.user.filter_attributes(self.user.get_by_name(user_name))
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1475, in get_by_name
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     res = self.get_all(query)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1746, in get_all
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     return super(EnabledEmuMixIn, self).get_all(ldap_filter)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1483, in get_all
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     for x in self._ldap_get_all(ldap_filter)]
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1445, in _ldap_get_all
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     attrs)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 929, in search_s
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     filterstr, attrlist)
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 964, in _paged_search_s
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi     controlType=ldap.LDAP_CONTROL_PAGE_OID,
2014-10-15 18:01:42.877 7294 TRACE keystone.common.wsgi AttributeError: 'module' object has no attribute 'LDAP_CONTROL_PAGE_OID'


Expected results:

List of users.

Additional info:

I tried with python-ldap 2.3 and works.
Comment 1 Nathan Kinder 2014-10-15 21:13:57 UTC 
What does your Keystone LDAP configuration look like?  Also, what version of the 'openldap' package do you have installed?

This is working for me on a fresh install using a domain specific LDAP backend for identity (assignment in SQL):

[rhosuser@rhos ~]$ rpm -q openstack-keystone python-ldap openldap
openstack-keystone-2014.2-0.6rc2.el7.centos.noarch
python-ldap-2.4.6-6.el7.x86_64
openldap-2.4.39-3.el7.x86_64

[rhosuser@rhos ~(keystone_cloud_admin)]$ openstack user list --domain ipa
+------------------------------------------------------------------+----------+
| ID                                                               | Name     |
+------------------------------------------------------------------+----------+
| 08c8bb1b1b8efa7abea9a8eb73784c59e6fbd7283e864d341aaea7d45b42814e | admin    |
| 1f94e7038ecd141dfe1656aa56d89779a27dd8b7a6aca4863860a1d58ac168ab | keystone |
+------------------------------------------------------------------+----------+
Comment 2 Nathan Kinder 2014-10-15 21:30:32 UTC 
Ok, so this is indeed a problem.  Keystone needs some changes to allow it to work with the new way that paging works in python-ldap 2.4.
Comment 3 Nathan Kinder 2014-10-15 21:31:42 UTC 
An upstream bug was filed on this issue here:

  https://bugs.launchpad.net/keystone/+bug/1381768
Comment 4 Nathan Kinder 2014-10-15 22:51:01 UTC 
A fix has been proposed for this upstream (in master):

  https://review.openstack.org/128782

There should not be a problem with backporting this to Juno once it's accepted for master.
Comment 5 Bruno Bompastor 2014-10-16 08:10:53 UTC 
Great! Thanks.
Comment 6 Alan Pevec (Fedora) 2014-10-28 23:59:27 UTC 
http://pkgs.fedoraproject.org/cgit/openstack-keystone.git/commit/?id=7bf72c1557651328f1dc6c2bd41c748bbc2650ab
Comment 7 Udi Kalifon 2014-11-06 07:26:41 UTC 
This never happened to me with the default LDAP configurations I've been using. How do I recreate this bug? Did it ever happen in a version that was delivered to QE?
Comment 8 Nathan Kinder 2014-11-06 09:03:29 UTC 
(In reply to Udi from comment #7)
> This never happened to me with the default LDAP configurations I've been
> using. How do I recreate this bug? Did it ever happen in a version that was
> delivered to QE?

Yes, it should exist in versions that QE have tested.  You need to enable paging by setting 'page_size' to a value greater than '0' in the '[ldap]' section of keystone.conf and do an operation like 'keystone user-list' against an LDAP identity backend.  To reproduce, this would need to be done on a system using python-ldap 2.4.x.