Description of problem: Opening this bz after having discussions with nkinder and ayoung. Per Nathan: Here is the fixed method from /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py: ----------------------------------------------------------------------- def _id_to_dn(self, object_id): if self.LDAP_SCOPE == ldap.SCOPE_ONELEVEL: return self._id_to_dn_string(object_id) conn = self.get_connection() try: search_result = conn.search_s( self.tree_dn, self.LDAP_SCOPE, '(&(%(id_attr)s=%(id)s)(objectclass=%(objclass)s))' % {'id_attr': self.id_attr, 'id': ldap.filter.escape_filter_chars( six.text_type(object_id)), 'objclass': self.object_class}, ['dn']) finally: conn.unbind_s() if search_result: dn, attrs = search_result[0] return dn else: return self._id_to_dn_string(object_id) ----------------------------------------------------------------------- The fix is simply the addition of the "[dn]" parameter as the attribute list to return to search_s(). The function doesn't need anything from the search result other then the DN, so we should only be requesting the DN. Without specifying an attribute list, all attributes are returned, which causes us to blow up on binary attribute values. The code that crashes is new code that John added in Icehouse IIRC. We'll need to get this fixed for A1 for OSP 5.0 and we can provide hotfixes as needed. Version-Release number of selected component (if applicable): python-keystoneclient-0.9.0-1.el7ost.noarch python-keystone-2014.1.2.1-1.el7ost.noarch openstack-keystone-2014.1.2.1-1.el7ost.noarch Additional info:
The fix has been proposed to master upstream. A backport will be proposed for stable/icehouse once the fix has been accepted.
A patch for this issue has been proposed for backport to stable/icehouse upstream: https://review.openstack.org/#/c/119578/
There was followup in the upstream Icehouse backport: https://review.openstack.org/#/c/119578/1..3/keystone/assignment/backends/ldap.py,unified
Which binary attribute, exactly? I created a user and gave him a jpegPhoto, and didn't see a crash. Need more step-by-step info on how to recreate the crash.
(In reply to Udi from comment #13) > Which binary attribute, exactly? I created a user and gave him a jpegPhoto, > and didn't see a crash. Need more step-by-step info on how to recreate the > crash. Any binary attribute, but this was encountered against Active Directory when processing the objectSid attribute: 2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing attr sAMAccountType convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:150 2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing value 805306368 convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:152 2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing attr objectSid convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:150 2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] NGK - processing value ��v�N2d�C`�X convert_ldap_result /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:152 2014-09-04 23:33:24.101 116033 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:788 2014-09-04 23:33:24.103 116033 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-keystoneclient', 'address': '192.168.2.157'}, 'id': 'openstack:20e4d464-3852-4282-9fff-95b89d9a99d6', 'name': u'OpenStack Administrator'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:10c9ea94-725e-4bd1-b6dd-9fa323f35e91'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:122c6518-faaa-4b0a-a134-374284d8b318'}, 'eventType': 'activity', 'eventTime': '2014-09-05T03:33:24.102686+0000', 'action': 'authenticate', 'outcome': 'failure', 'id': 'openstack:da8ebbc0-9f5d-4723-a4a9-e873a59281a6'} _send_audit_notification /usr/lib/python2.7/site-packages/keystone/notifications.py:289 2014-09-04 23:33:24.103 116033 WARNING keystone.common.wsgi [-] Authorization failed. Invalid user / password from 192.168.2.157
*** Bug 1128926 has been marked as a duplicate of this bug. ***
The key to reproducing this issue is to set the following in keystone.conf: ---------------------- [ldap] ... query_scope=sub ---------------------- The problem is not triggered with the default query_scope setting of "one".
*** Bug 1144167 has been marked as a duplicate of this bug. ***
*** Bug 1129433 has been marked as a duplicate of this bug. ***
Fixed in: python-keystone-2014.1.2.1-2.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1347.html