1138684 – Keystone LDAP identity driver crashes on binary attributes

Bug 1138684 - Keystone LDAP identity driver crashes on binary attributes

Summary: Keystone LDAP identity driver crashes on binary attributes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	z1
Target Release:	5.0 (RHEL 7)
Assignee:	Nathan Kinder
QA Contact:	Udi Kalifon
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	1128926 1129433 1144167 (view as bug list)
Depends On:
Blocks:	1128799 1139352
TreeView+	depends on / blocked

Reported:	2014-09-05 12:55 UTC by Chris Hudson
Modified:	2018-12-09 18:30 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-keystone-2014.1.2.1-2.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, when the Identity service encountered LDAP attributes with binary values, it failed to properly parse the values. This included attributes that Identity service is not even configured to use when Identity service's LDAP search scope is set to 'subtree'. As a result, LDAP entries containing binary LDAP attribute values were not usable with the Identity service and it led to failed user lookup and authentication when using LDAP backend. With this update, Identity service checks properly for attribute values parsing errors and skips individual attributes that it does not understand. As a result, LDAP entries containing binary attribute values work properly with Identity service.
Clone Of:
Clones:	1139352 (view as bug list)
Environment:
Last Closed:	2014-09-30 17:51:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1355489	None	None	None	Never
OpenStack gerrit	119457	None	None	None	Never
OpenStack gerrit	119578	None	None	None	Never
Red Hat Product Errata	RHBA-2014:1347	normal	SHIPPED_LIVE	openstack-keystone bug fix update	2014-09-30 21:49:42 UTC

Description Chris Hudson 2014-09-05 12:55:35 UTC

Description of problem:

Opening this bz after having discussions with nkinder and ayoung. 

Per Nathan:

Here is the fixed method from
/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:

-----------------------------------------------------------------------
    def _id_to_dn(self, object_id):
        if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL:
            return self._id_to_dn_string(object_id)
        conn = self.get_connection()
        try:
            search_result = conn.search_s(
                self.tree_dn, self.LDAP_SCOPE,
                '(&(%(id_attr)s=%(id)s)(objectclass=%(objclass)s))' %
                {'id_attr': self.id_attr,
                 'id': ldap.filter.escape_filter_chars(
                     six.text_type(object_id)),
                 'objclass': self.object_class},
                ['dn'])
        finally:
            conn.unbind_s()
        if search_result:
            dn, attrs = search_result[0]
            return dn
        else:
            return self._id_to_dn_string(object_id)
-----------------------------------------------------------------------

The fix is simply the addition of the "[dn]" parameter as the attribute
list to return to search_s().  The function doesn't need anything from
the search result other then the DN, so we should only be requesting the DN.

Without specifying an attribute list, all attributes are returned, which
causes us to blow up on binary attribute values.  The code that crashes
is new code that John added in Icehouse IIRC.  We'll need to get this
fixed for A1 for OSP 5.0 and we can provide hotfixes as needed.

Version-Release number of selected component (if applicable):
python-keystoneclient-0.9.0-1.el7ost.noarch
python-keystone-2014.1.2.1-1.el7ost.noarch
openstack-keystone-2014.1.2.1-1.el7ost.noarch


Additional info:

Comment 6 Nathan Kinder 2014-09-05 20:05:26 UTC

The fix has been proposed to master upstream.  A backport will be proposed for stable/icehouse once the fix has been accepted.

Comment 8 Nathan Kinder 2014-09-06 21:03:03 UTC

A patch for this issue has been proposed for backport to stable/icehouse upstream:

  https://review.openstack.org/#/c/119578/

Comment 11 Alan Pevec 2014-09-09 15:17:14 UTC

There was followup in the upstream Icehouse backport:
https://review.openstack.org/#/c/119578/1..3/keystone/assignment/backends/ldap.py,unified

Comment 13 Udi Kalifon 2014-09-15 07:19:22 UTC

Which binary attribute, exactly? I created a user and gave him a jpegPhoto, and didn't see a crash. Need more step-by-step info on how to recreate the crash.

Comment 14 Nathan Kinder 2014-09-15 18:52:53 UTC

(In reply to Udi from comment #13)
> Which binary attribute, exactly? I created a user and gave him a jpegPhoto,
> and didn't see a crash. Need more step-by-step info on how to recreate the
> crash.

Any binary attribute, but this was encountered against Active Directory when processing the objectSid attribute:

2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing attr sAMAccountType convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:150
2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing value 805306368 convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:152
2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing attr objectSid convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:150
2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing value ��v�N2d�C`�X convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:152
2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:788
2014-09-04 23:33:24.103 116033 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-keystoneclient', 'address': '192.168.2.157'}, 'id': 'openstack:20e4d464-3852-4282-9fff-95b89d9a99d6', 'name': u'OpenStack Administrator'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:10c9ea94-725e-4bd1-b6dd-9fa323f35e91'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:122c6518-faaa-4b0a-a134-374284d8b318'}, 'eventType': 'activity', 'eventTime': '2014-09-05T03:33:24.102686+0000', 'action': 'authenticate', 'outcome': 'failure', 'id': 'openstack:da8ebbc0-9f5d-4723-a4a9-e873a59281a6'} _send_audit_notification /usr/lib/python2.7/site-packages/keystone/notifications.py:289
2014-09-04 23:33:24.103 116033 WARNING keystone.common.wsgi [-] Authorization failed. Invalid user / password from 192.168.2.157

Comment 16 Nathan Kinder 2014-09-18 22:48:43 UTC

*** Bug 1128926 has been marked as a duplicate of this bug. ***

Comment 17 Nathan Kinder 2014-09-19 05:06:23 UTC

The key to reproducing this issue is to set the following in keystone.conf:

----------------------
[ldap]
...
query_scope=sub
----------------------

The problem is not triggered with the default query_scope setting of "one".

Comment 18 Nathan Kinder 2014-09-19 05:07:03 UTC

*** Bug 1144167 has been marked as a duplicate of this bug. ***

Comment 19 Nathan Kinder 2014-09-20 00:41:13 UTC

*** Bug 1129433 has been marked as a duplicate of this bug. ***

Comment 20 Udi Kalifon 2014-09-23 18:03:37 UTC

Fixed in:
python-keystone-2014.1.2.1-2.el7ost.noarch

Comment 23 errata-xmlrpc 2014-09-30 17:51:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1347.html

Note You need to log in before you can comment on or make changes to this bug.