Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1099628 - LDAP non-URL safe characters cause auth failure
LDAP non-URL safe characters cause auth failure
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
4.0
All Linux
urgent Severity urgent
: z5
: 4.0
Assigned To: Nathan Kinder
Udi
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-20 15:09 EDT by Christopher J Suleski
Modified: 2018-02-08 05:16 EST (History)
10 users (show)

See Also:
Fixed In Version: openstack-keystone-2013.2.3-9.el6ost
Doc Type: Bug Fix
Doc Text:
When using an LDAP back end, the Identity service failed with a 'Bad search filter' error whenever a token request was made for a user whose ID contained a comma (for example, 'Doe, John'). However, if the user's ID contained no comma ('John Doe'), the Identity service grants token requests as expected. This was because the LDAP back end code of the Identity server did not properly escape special characters when creating search filters. This update adds the necessary escaping, thereby allowing the Identity server to perform LDAP search operations correctly.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-22 13:22:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1302106 None None None Never
Red Hat Product Errata RHSA-2014:1688 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-10-22 17:21:12 EDT

  None (edit)
Description Christopher J Suleski 2014-05-20 15:09:50 EDT 
Description of problem:

Quoting the upstream bug report, see the original for more details:

> An Openstack user attempting to integrate Keystone with AD 
> has reported that when his user contains a comma (full name 
> CN='Doe, John'), a 'Bad search filter' error is thrown. If 
> the full name CN is instead 'John Doe', authorization succeeds."

Version-Release number of selected component (if applicable):
2013.2.3-4.el6ost


Please backport the upstream patch.
Comment 9 John Fulton 2014-08-05 14:09:35 EDT 
Has there been any progress on this bug?
Comment 10 Nathan Kinder 2014-08-05 14:22:48 EDT 
(In reply to John Fulton from comment #9)
> Has there been any progress on this bug?

The issue is fixed in the code upstream and internally and will be in 4.0.z A5 (hence the POST status).
Comment 15 Udi 2014-10-14 10:54:14 EDT 
Created this user:
# Doe\2C John, Users, WIN2012DOM.COM
dn: CN=Doe\, John,CN=Users,DC=WIN2012DOM,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Doe, John
sn: Doe
givenName: John
distinguishedName: CN=Doe\, John,CN=Users,DC=WIN2012DOM,DC=COM
instanceType: 4
whenCreated: 20141015003049.0Z
whenChanged: 20141015003656.0Z
displayName: Doe, John
uSNCreated: 12893
uSNChanged: 12900
name: Doe, John
objectGUID:: 5jUu9e+JVkK8gGjB6r52zw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130578066490943290
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAUEfhSGrUvXLKtVFDUgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: doe_john
sAMAccountType: 805306368
userPrincipalName: doe, john@WIN2012DOM.COM
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=WIN2012DOM,DC=COM
dSCorePropagationData: 20141015003049.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130578070168286802

keystone user-list
+---------------+---------------+---------+--------------------------+
|       id      |      name     | enabled |          email           |
+---------------+---------------+---------+--------------------------+
| Administrator | Administrator |   True  |                          |
|     Guest     |     Guest     |  False  |                          |
|   Doe, John   |    doe_john   |   True  | doe, john@WIN2012DOM.COM |
|     krbtgt    |     krbtgt    |  False  |                          |
|  Udi Kalifon  |    ukalifon   |   True  | ukalifon@WIN2012DOM.COM  |
+---------------+---------------+---------+--------------------------+

I was able to get a v2 and a v3 token, as well as create an rc file for this user and list the above user-list.
Comment 17 errata-xmlrpc 2014-10-22 13:22:37 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1688.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.