Bug 1073011 - with ldap.Identity token issueing fails with KeyError on user_ref['name']
Summary: with ldap.Identity token issueing fails with KeyError on user_ref['name']
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 5.0 (RHEL 7)
Assignee: Nathan Kinder
QA Contact: Udi Kalifon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-05 15:35 UTC by Giulio Fidente
Modified: 2016-04-26 18:38 UTC (History)
7 users (show)

Fixed In Version: openstack-keystone-2014.1-5.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, the LDAP code in Identity was comparing attribute names by using string comparisons. Inconsistent capitalization caused the string comparisons to fail. As a result, two values that should have matched would not match, and binding the LDAP query results to the Python variables would fail with the error "KeyError on user_ref['name']" This has been fixed by doing attribute comparisons with all values forced to lowercase, so that attributes now match even if configuration values do not have consistent capitalization.
Clone Of:
Environment:
Last Closed: 2014-07-08 15:25:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1281216 0 None None None Never
OpenStack gerrit 89898 0 None None None Never
Red Hat Product Errata RHEA-2014:0854 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Enhancement - Identity 2014-07-08 19:22:33 UTC

Description Giulio Fidente 2014-03-05 15:35:11 UTC 
Description of problem:
after configuring keystone with the ldap backend for Identity and the sql backend for Assignments, user authentication fails with a trace in the logs reporting KeyError on user_ref['name'] (providers/uuid.py)

2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 238, in __call__
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     result = method(context, **params)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 127, in authenticate
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 44, in _wrapper
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/uuid.py", line 364, in issue_v2_token
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     token_ref, roles_ref, catalog_ref)
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/providers/uuid.py", line 59, in format_token
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi     'name': user_ref['name'],
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi KeyError: 'name'
2014-03-05 16:13:19.059 111440 TRACE keystone.common.wsgi 


Version-Release number of selected component (if applicable):
openstack-keystone-2013.2.2-1.el6ost.noarch


Notes:
issue was found using an active directory as ldap backend, in read-only mode, where user_id_attribute=cn and user_name_attribute=samaccountname
Comment 5 Nathan Kinder 2014-04-11 15:37:51 UTC 
This is actually a Keystone bug, and it's not an invasive change.  I have a patch out for review upstream.  Once it is merged, we can work on getting it backported for Icehouse and RHEL OSP 5.0.
Comment 6 Nathan Kinder 2014-05-27 20:59:03 UTC 
This has been merged upstream for stable/icehouse:

  https://review.openstack.org/#/c/89898/
Comment 16 errata-xmlrpc 2014-07-08 15:25:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0854.html
Note You need to log in before you can comment on or make changes to this bug.