Description of problem: keystone LDAP configuration chase_referrals is only accepted as integer when using domain_configurations_from_database Version-Release number of selected component (if applicable): in OSP 7 How reproducible: all the time Steps to Reproduce: Domain based configuration with domain_configurations_from_database set to true in keystone.conf. So instead of having the configuration in the /etc/keystone/domain/keystone.domain.conf file it is uploaded into the database, this is done initially with the 'keystone-manage domain_config_upload'. Unfortunately once it is updated the only way to change data is to modify it with curl. To do that, you can use curl to get the OS_TOKEN and then run a curl command to make the change. The command to get the token: curl -i -H "Content-Type: application/json" -d ' { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "'${OS_USERNAME}'", "domain": { "name": "Default" }, "password": "'$OS_PASSWORD'" } } }, "scope": { "project": { "name": "admin", "domain": { "name": "Default" } } } } }' ${OS_AUTH_URL}/auth/tokens |grep X-Subject-Token: Once I set the OS_TOKEN with the value from X-Subject-Token: I run the following command to make the change, initially to "False": curl -s -X PATCH -H "X-Auth-Token: $OS_TOKEN" -H "Content-Type: application/json" \ -d ' { "config": { "ldap": { "tls_cacertdir" : "/etc/pki/ca-trust/extracted/pem/", "chase_referrals": "False" } } }' \ ${OS_AUTH_URL}//v3/domains/ce954c66406e4f19b5cc28ce2eac8d0c/config/ldap At that point I get the error described. Received the error: 2016-06-15 12:45:18.482 3852 ERROR keystone.common.wsgi [-] invalid literal for int() with base 10: 'False' 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi Traceback (most recent call last): 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 238, in __call__ 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi result = method(context, **params) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 502, in authenticate 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi auth_context) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/password.py", line 35, in authenticate 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi user_info = auth_plugins.UserAuthInfo.create(auth_payload, self.method) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/core.py", line 106, in create 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi user_auth_info._validate_and_normalize_auth_data(auth_payload) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/plugins/core.py", line 174, in _validate_and_normalize_auth_data 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi user_name, domain_ref['id']) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 342, in wrapper 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi return f(self, *args, **kwargs) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 353, in wrapper 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi return f(self, *args, **kwargs) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1040, in decorate 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi should_cache_fn) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 651, in get_or_create 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi async_creator) as value: 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/core/dogpile.py", line 158, in __enter__ 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi return self._enter() 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/core/dogpile.py", line 98, in _enter 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi generated = self._enter_create(createdtime) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/core/dogpile.py", line 149, in _enter_create 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi created = self.creator() 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 619, in gen_value 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi created_value = creator() 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1036, in creator 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi return fn(*arg, **kw) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 773, in get_user_by_name 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi ref = driver.get_user_by_name(user_name, domain_id) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 87, in get_user_by_name 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi return self.user.filter_attributes(self.user.get_by_name(user_name)) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1497, in get_by_name 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi res = self.get_all(query) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1891, in get_all 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).get_all(ldap_filter) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1505, in get_all 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi for x in self._ldap_get_all(ldap_filter)] 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1459, in _ldap_get_all 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi with self.get_connection() as conn: 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1271, in get_connection 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi pool_conn_lifetime=pool_conn_lifetime 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 886, in connect 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi pool_conn_lifetime=pool_conn_lifetime) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 704, in connect 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi self.set_option(ldap.OPT_REFERRALS, int(chase_referrals)) 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi ValueError: invalid literal for int() with base 10: 'False' 2016-06-15 12:45:18.482 3852 TRACE keystone.common.wsgi 2016-06-15 12:45:18.485 3852 INFO eventlet.wsgi.server [-] 10.199.8.34 - - [15/Jun/2016 12:45:18] "POST /v3/auth/tokens HTTP/1.1" 500 453 0.031947 2016-06-15 12:45:18.489 3852 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:223 Then changed the value to be the integer value 0 (for false) via the command: curl -s -X PATCH -H "X-Auth-Token: $OS_TOKEN" -H "Content-Type: application/json" \ -d ' { "config": { "ldap": { "tls_cacertdir" : "/etc/pki/ca-trust/extracted/pem/", "chase_referrals": 0 } } }' \ ${OS_AUTH_URL}//v3/domains/ce954c66406e4f19b5cc28ce2eac8d0c/config/ldap Now the script works and my issue that I was setting chase_referrals to False for is now resolved. The reason I opened this case as I think there is a bug from the /etc/keystone/keystone.conf file: # Override the system's default referral chasing behavior for queries. (boolean # value) #chase_referrals = <None> Since it is a boolean it should be true or false, however from the code it wants an integer. From the code: /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py line 704: if chase_referrals is not None: self.set_option(ldap.OPT_REFERRALS, int(chase_referrals))
This looks related to https://bugzilla.redhat.com/show_bug.cgi?id=1343143
"If you do false in lower case it works. However, it is consistent to how other booleans are treated as a quick search group the output shows: "chase_referrals": false, "group_allow_create": "False", "group_allow_delete": "False", "group_allow_update": "False", "use_auth_pool": "false", "use_dumb_member": "False", "use_pool": "false", "use_tls": "True", "user_allow_create": "False", "user_allow_delete": "False", "user_allow_update": "False", Note only chase_referrals appears to work that way."
chase_referrals is a boolean. JSON has an explicit boolean type whose possible values are true or false. Note there is no quotation marks around these values! They are NOT strings! Due to a historical quirk of how Python handles booleans Python will also accept an integer where zero has the truth value of false and non-zero has the truth value of true (just like in C and other languages). The important point is they are not string values. Many of the examples you cite a deprecated LDAP values. I suspect the only reason some boolean values will work as strings when they are used in LDAP, all values stored in LDAP are strings and there is Python code to convert booleans to and from strings when stored and read from LDAP respectively. But that is specific to values *in* LDAP, not to JSON interchange nor run time usage in other parts of keystone. The bottom line is that you should have formatted your JSON as: "chase_referrals": false