Bug 1128916 - LDAP attributes mapped to None can cause 500 errors
Summary: LDAP attributes mapped to None can cause 500 errors
Keywords:
Status: CLOSED DUPLICATE of bug 1113534
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 5.0 (RHEL 7)
Hardware: All
OS: Linux
high
medium
Target Milestone: z2
: 5.0 (RHEL 7)
Assignee: Nathan Kinder
QA Contact: Udi
URL:
Whiteboard:
Depends On:
Blocks: 1128799
TreeView+ depends on / blocked
 
Reported: 2014-08-11 20:36 UTC by John Trowbridge
Modified: 2018-12-09 18:20 UTC (History)
4 users (show)

Fixed In Version: openstack-keystone-2014.1.3-1.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-08 23:05:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 113744 None None None Never
Launchpad 1335437 None None None Never

Description John Trowbridge 2014-08-11 20:36:07 UTC
Description of problem:

When LDAP is being used as a backend, attributes that are mapped to 'None' will trigger a 500 error if they are not also configured to be ignored. This can be easily reproduced by modifying the default config as follows:

-------------------------------------------------------------
# List of attributes stripped off the user on update. (list
# value)
#user_attribute_ignore=default_project_id,tenants
user_attribute_ignore=tenants

# LDAP attribute mapped to default_project_id for users.
# (string value)
#user_default_project_id_attribute=<None>
-------------------------------------------------------------

If you then perform a 'keystone user-list', it will trigger a 500 error:

-------------------------------------------------------------
[root@keystone ~(keystone_admin)]# keystone user-list
Authorization Failed: An unexpected error prevented the server from fulfilling your request. (HTTP 500)
-------------------------------------------------------------

The end of the stacktrace in keystone.log clearly shows the problem:

-------------------------------------------------------------
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 502, in _ldap_res_to_model
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi v = lower_res[self.attribute_mapping.get(k, k).lower()]
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi AttributeError: 'NoneType' object has no attribute 'lower'
-------------------------------------------------------------


Additional info:

nkinder's fix for this is merged upstream:
https://bugs.launchpad.net/keystone/+bug/1335437

This bugzilla is for backport to RHEL-OSP5.

Comment 1 Nathan Kinder 2014-08-13 01:41:51 UTC
I've proposed this as an upstream backport to stable/icehouse:

  https://review.openstack.org/#/c/113744/

Comment 2 Nathan Kinder 2014-08-18 19:10:15 UTC
This has been merged upstream for stable/icehouse.

Comment 4 Nathan Kinder 2014-10-08 23:02:17 UTC
This was included in the upstream 2014.1.3 Icehouse release.

Comment 5 Nathan Kinder 2014-10-08 23:05:20 UTC

*** This bug has been marked as a duplicate of bug 1113534 ***


Note You need to log in before you can comment on or make changes to this bug.