[Bug 1798184] Related fix merged to keystone (stable/queens)

OpenStack Infra 1798184 at bugs.launchpad.net
Tue Sep 3 18:44:14 UTC 2019 

Reviewed:  https://review.opendev.org/674031
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=79ed42ee67915383242541329dd5aa186f087ff2
Submitter: Zuul
Branch:    stable/queens

commit 79ed42ee67915383242541329dd5aa186f087ff2
Author: Raildo Mascena <rmascena at redhat.com>
Date:   Wed Jul 24 10:20:17 2019 -0300

    Fix python3 compatibility on LDAP search DN from id
    
    In Python 3, python-ldap no longer allows bytes for some fields (DNs,
    RDNs, attribute names, queries). Instead, text values are represented
    as str, the Unicode text type.
    
    [1] More details about byte/str usage in python-ldap can be found at:
    http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
    
    Change-Id: I63e3715032cd8edb11fbff7651f5ba1af506dc9d
    Related-Bug: #1798184
    (cherry picked from commit 03531a56910b12922afde32b40e270b7d68a334b)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1798184

Title:
  [SRU] PY3: python3-ldap does not allow bytes for DN/RDN/field names

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive rocky series:
  Fix Released
Status in Ubuntu Cloud Archive stein series:
  Fix Released
Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) rocky series:
  Fix Released
Status in OpenStack Identity (keystone) stein series:
  Fix Released
Status in ldappool:
  Fix Released
Status in keystone package in Ubuntu:
  Fix Released
Status in python-ldappool package in Ubuntu:
  Fix Released
Status in keystone source package in Cosmic:
  Fix Released
Status in python-ldappool source package in Cosmic:
  Fix Released
Status in keystone source package in Disco:
  Fix Released
Status in python-ldappool source package in Disco:
  Fix Released

Bug description:
  [Impact]
  Keystone LDAP backend doesn't work for PY3.

  Under Python 2, python-ldap uses bytes by default. Under Python 3 this
  is removed and bytes aren't allowed for DN/RDN/field names.

  More details are here: http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
  and here: https://github.com/python-ldap/python-ldap/blob/python-ldap-3.1.0/Lib/ldap/ldapobject.py#L111

  == initial traceback ==

  Here's the initial traceback from the failure:
  https://paste.ubuntu.com/p/67THZb2m5m/

  The last bit of the error is:

    File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 314, in _ldap_call
      result = func(*args,**kwargs)
  TypeError: simple_bind() argument 1 must be str or None, not bytes

  A closer look at func shows:

  func=<built-in method simple_bind of LDAP object at 0x7f9d0177b760>
  args=(b'cn=admin,dc=test,dc=com', b'crapper', None, None)

  == keystone ldap backend use of python-ldap ==

  In simple_bind_s() of keystone's ldap backend, who and cred are
  encoded as byte strings:

  https://github.com/openstack/keystone/blob/14.0.0/keystone/identity/backends/ldap/common.py#L885

  but that appears to no longer be valid use of python-ldap for py3.

  
  [Test Case]

  Run charm-keystone-ldap functional tests for OpenStack Rocky or above.

  [Regression Potential]
  The only regression potential would be for PY2 code paths. PY3 code paths never worked for keystone's LDAP backend. The approach to the patch have purposefully minimized amount of code required and therefore regression potential for PY2. Note that Rocky for Ubuntu supports PY2 but as of Stein Ubuntu has dropped PY2 support.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1798184/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list