Bug 1099628 - LDAP non-URL safe characters cause auth failure
Summary: LDAP non-URL safe characters cause auth failure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: z5
: 4.0
Assignee: Nathan Kinder
QA Contact: Udi Kalifon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-20 19:09 UTC by Christopher J Suleski
Modified: 2022-07-09 07:06 UTC (History)
10 users (show)

Fixed In Version: openstack-keystone-2013.2.3-9.el6ost
Doc Type: Bug Fix
Doc Text:
When using an LDAP back end, the Identity service failed with a 'Bad search filter' error whenever a token request was made for a user whose ID contained a comma (for example, 'Doe, John'). However, if the user's ID contained no comma ('John Doe'), the Identity service grants token requests as expected. This was because the LDAP back end code of the Identity server did not properly escape special characters when creating search filters. This update adds the necessary escaping, thereby allowing the Identity server to perform LDAP search operations correctly.
Clone Of:
Environment:
Last Closed: 2014-10-22 17:22:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1302106 0 None None None Never
Red Hat Issue Tracker OSP-16515 0 None None None 2022-07-09 07:06:51 UTC
Red Hat Product Errata RHSA-2014:1688 0 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-10-22 21:21:12 UTC

Description Christopher J Suleski 2014-05-20 19:09:50 UTC 
Description of problem:

Quoting the upstream bug report, see the original for more details:

> An Openstack user attempting to integrate Keystone with AD 
> has reported that when his user contains a comma (full name 
> CN='Doe, John'), a 'Bad search filter' error is thrown. If 
> the full name CN is instead 'John Doe', authorization succeeds."

Version-Release number of selected component (if applicable):
2013.2.3-4.el6ost


Please backport the upstream patch.
Comment 9 John Fulton 2014-08-05 18:09:35 UTC 
Has there been any progress on this bug?
Comment 10 Nathan Kinder 2014-08-05 18:22:48 UTC 
(In reply to John Fulton from comment #9)
> Has there been any progress on this bug?

The issue is fixed in the code upstream and internally and will be in 4.0.z A5 (hence the POST status).
Comment 15 Udi Kalifon 2014-10-14 14:54:14 UTC 
Created this user:
# Doe\2C John, Users, WIN2012DOM.COM
dn: CN=Doe\, John,CN=Users,DC=WIN2012DOM,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Doe, John
sn: Doe
givenName: John
distinguishedName: CN=Doe\, John,CN=Users,DC=WIN2012DOM,DC=COM
instanceType: 4
whenCreated: 20141015003049.0Z
whenChanged: 20141015003656.0Z
displayName: Doe, John
uSNCreated: 12893
uSNChanged: 12900
name: Doe, John
objectGUID:: 5jUu9e+JVkK8gGjB6r52zw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130578066490943290
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAUEfhSGrUvXLKtVFDUgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: doe_john
sAMAccountType: 805306368
userPrincipalName: doe, john
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=WIN2012DOM,DC=COM
dSCorePropagationData: 20141015003049.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130578070168286802

keystone user-list
+---------------+---------------+---------+--------------------------+
|       id      |      name     | enabled |          email           |
+---------------+---------------+---------+--------------------------+
| Administrator | Administrator |   True  |                          |
|     Guest     |     Guest     |  False  |                          |
|   Doe, John   |    doe_john   |   True  | doe, john |
|     krbtgt    |     krbtgt    |  False  |                          |
|  Udi Kalifon  |    ukalifon   |   True  | ukalifon  |
+---------------+---------------+---------+--------------------------+

I was able to get a v2 and a v3 token, as well as create an rc file for this user and list the above user-list.
Comment 17 errata-xmlrpc 2014-10-22 17:22:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1688.html
Note You need to log in before you can comment on or make changes to this bug.