Bug 1130707 - LDAP backend fails when connecting to Active Directory root DN
Summary: LDAP backend fails when connecting to Active Directory root DN
Status: CLOSED DUPLICATE of bug 1093833
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: Unspecified
OS: Linux
Target Milestone: ---
: 5.0 (RHEL 7)
Assignee: Nathan Kinder
QA Contact: Udi
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-16 16:16 UTC by John Fulton
Modified: 2018-12-09 18:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-08-17 16:41:33 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Launchpad 1233365 None None None Never

Description John Fulton 2014-08-16 16:16:40 UTC
Description of problem:

This is filed upstream bug 1233365. A strategic customer has run into this problem and I'm requesting that it be back-ported to OSP4. The bug is described here: 


The following is taken from the above bug report:

When using the LDAP backend and connecting to Active Directory, trying to use the root DN (dc=example,dc=com) as the user_tree_dn (or tenant/role_tree_dn) fails with "Authorization Failed: Unable to communicate with identity service: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1', 'desc': 'Operations error'}", "code": 500, "title": "Internal Server Error"}}. (HTTP 500)".

This is because python-ldap chases all referrals with anonymous access, which is disabled by default in AD for security reasons. Adding a line in core.py under ldap.initialize to not chase referrals (self.conn.set_option(ldap.OPT_REFERRALS, 0)) gets around this error, but then we get "AttributeError: 'list' object has no attribute 'iteritems'" in search_s. This is because while the referrals aren't chased, they still show up in the results list. The keystone code can't seem to handle the format the referrals come in. I was able to work around this by adding an if statement before o.append to ignore the referral results (if type(dn) is not NoneType). I also added "from types import *" in the beginning of core.py.

I'm sure this isn't the best workaround for everybody, but in general I think there should be an option in keystone.conf to enable or disable chasing of referrals. If it is disabled, then the previous ldap option should be set and something should be done to remove the referrals from the results list.

If there is more information you need related to this, then please let me know and I will be happy to provide.

Note You need to log in before you can comment on or make changes to this bug.