Bug 1128916 - LDAP attributes mapped to None can cause 500 errors
Summary: LDAP attributes mapped to None can cause 500 errors
Status: CLOSED DUPLICATE of bug 1113534
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 5.0 (RHEL 7)
Hardware: All
OS: Linux
Target Milestone: z2
: 5.0 (RHEL 7)
Assignee: Nathan Kinder
QA Contact: Udi
Depends On:
Blocks: 1128799
TreeView+ depends on / blocked
Reported: 2014-08-11 20:36 UTC by John Trowbridge
Modified: 2018-12-09 18:20 UTC (History)
4 users (show)

Fixed In Version: openstack-keystone-2014.1.3-1.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-08 23:05:20 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 113744 None None None Never
Launchpad 1335437 None None None Never

Description John Trowbridge 2014-08-11 20:36:07 UTC
Description of problem:

When LDAP is being used as a backend, attributes that are mapped to 'None' will trigger a 500 error if they are not also configured to be ignored. This can be easily reproduced by modifying the default config as follows:

# List of attributes stripped off the user on update. (list
# value)

# LDAP attribute mapped to default_project_id for users.
# (string value)

If you then perform a 'keystone user-list', it will trigger a 500 error:

[root@keystone ~(keystone_admin)]# keystone user-list
Authorization Failed: An unexpected error prevented the server from fulfilling your request. (HTTP 500)

The end of the stacktrace in keystone.log clearly shows the problem:

2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 502, in _ldap_res_to_model
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi v = lower_res[self.attribute_mapping.get(k, k).lower()]
2014-06-28 06:23:36.366 21931 TRACE keystone.common.wsgi AttributeError: 'NoneType' object has no attribute 'lower'

Additional info:

nkinder's fix for this is merged upstream:

This bugzilla is for backport to RHEL-OSP5.

Comment 1 Nathan Kinder 2014-08-13 01:41:51 UTC
I've proposed this as an upstream backport to stable/icehouse:


Comment 2 Nathan Kinder 2014-08-18 19:10:15 UTC
This has been merged upstream for stable/icehouse.

Comment 4 Nathan Kinder 2014-10-08 23:02:17 UTC
This was included in the upstream 2014.1.3 Icehouse release.

Comment 5 Nathan Kinder 2014-10-08 23:05:20 UTC

*** This bug has been marked as a duplicate of bug 1113534 ***

Note You need to log in before you can comment on or make changes to this bug.