Bug 1286786

Summary: Keystone v3 user/tenant lookup by name via OpenStack CLI client fails
Product: Red Hat OpenStack Reporter: Pablo Caruana <pcaruana>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Mike Abrams <mabrams>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: ayoung, dmaley, mlopes, nkinder, yeylon
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-keystone-2015.1.2-2.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-21 17:01:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pablo Caruana 2015-11-30 18:00:55 UTC 
Description of problem:

When using the openstack CLI client to look up users/tenants by name (e.g., openstack user show admin or openstack openstack project show AdminTenant), it fails with a 500 and the following traceback:

2015-11-30 08:04:50.333 25102 DEBUG keystone.common.controller [-] RBAC: Authorization granted wrapper /usr/lib/python2.7/site-packages/keystone/common/controller.py:203
2015-11-30 08:04:50.333 25102 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://ad.example.com _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:576
2015-11-30 08:04:50.333 25102 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:580
2015-11-30 08:04:50.333 25102 DEBUG keystone.common.ldap.core [-] LDAP bind: who=adm_vmdeploy.com  simple_bind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:896
2015-11-30 08:04:50.357 25102 DEBUG keystone.common.ldap.core [-] LDAP search: base=OU=BusinessUnits,DC=ad,DC=example.com,DC=pri scope=2 filterstr=(&(&None(cn=35842))(objectClass=person)) attrs=['', 'userAccountControl', 'cn', 'mail'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:931
2015-11-30 08:04:50.357 25102 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:904
2015-11-30 08:04:50.357 25102 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     result = method(context, **params)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 206, in wrapper
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return f(self, context, filters, **kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/controllers.py", line 223, in list_users
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     hints=hints)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 52, in wrapper
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 342, in wrapper
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 353, in wrapper
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 791, in list_users
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     ref_list = driver.list_users(hints)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 82, in list_users
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return self.user.get_all_filtered(hints)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 269, in get_all_filtered
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return [self.filter_attributes(user) for user in self.get_all(query)]
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1869, in get_all
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return super(EnabledEmuMixIn, self).get_all(ldap_filter)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1505, in get_all
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     for x in self._ldap_get_all(ldap_filter)]
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1467, in _ldap_get_all
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     attrs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 944, in search_s
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     attrlist_utf8, attrsonly)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 640, in wrapper
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return func(self, conn, *args, **kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 770, in search_s
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     attrsonly)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 552, in search_s
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 876, in search_ext_s
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in _apply_method_s
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     return func(self,*args,**kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 545, in search_ext_s
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 541, in search_ext
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     timeout,sizelimit,
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
2015-11-30 08:04:50.357 25102 TRACE keystone.common.wsgi
2015-11-30 08:04:50.360 25102 INFO eventlet.wsgi.server [-] 10.239.152.105 - - [30/Nov/2015 08:04:50] "GET /v3/users?domain_id=09eb9e5e089943388d376a9df86b6197&name=35842 HTTP/1.1" 500 459 0.035700
Version-Release number of selected component (if applicable):

Keystone 2015.1.1  what comes within the osp 7.1 overcloud full image

How reproducible:

[stack@rhos ~(keystone_v3_admin)]$ openstack user show --domain AD 35842
ERROR: openstack An unexpected error prevented the server from fulfilling your request: {'desc': 'Bad search filter'} (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-415f93a6-1b57-44c7-a289-9913a59c7ebc)
[stack@rhos ~(keystone_v3_admin)]$


When manually applying the source change https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c6db4a3bb9e1718744b0e5b03af050fd2866182 as described in the Upstream bugtracker https://bugs.launchpad.net/keystone/+bug/1454309 this issue goes away
Comment 11 errata-xmlrpc 2015-12-21 17:01:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:2682