OpenStack Identity (keystone)

can't use "$" in password for ldap authentication

Bug #1480334 reported by Vasyl Saienko
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Medium
Kent Wang
oslo.config
Won't Fix
Undecided
Unassigned

Bug Description

keystone can't connect to ldap server if "$" used in password.

keystone.tld.conf

[identity]
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

[ldap]
url=ldap://172.16.56.46:389
<email address hidden>
password=Pa$$w0rd
suffix=dc=keystone,dc=tld
query_scope = sub

user_tree_dn=dc=keystone,dc=tld
user_objectclass=person
user_id_attribute=cn
#user_name_attribute=userPrincipalName
user_name_attribute=cn

use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600

use_auth_pool = true
auth_pool_size = 100
auth_pool_connection_lifetime = 60

debug_level = 4095

Debug from log:
<15>Jul 31 14:00:04 node-1 keystone-all LDAP init: url=ldap://172.16.56.46:389
<15>Jul 31 14:00:04 node-1 keystone-all LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1
<15>Jul 31 14:00:04 node-1 keystone-all LDAP bind: who=CN=admin_ad,CN=Users,DC=keystone,DC=tld
<15>Jul 31 14:00:04 node-1 keystone-all arg_dict: {}
<14>Jul 31 14:00:04 node-1 keystone-all 192.168.0.2 - - [31/Jul/2015 14:00:04] "OPTIONS / HTTP/1.0" 300 919 0.143915
<15>Jul 31 14:00:04 node-1 keystone-all arg_dict: {}
<14>Jul 31 14:00:05 node-1 keystone-all 192.168.0.2 - - [31/Jul/2015 14:00:05] "OPTIONS / HTTP/1.0" 300 921 0.155419
<11>Jul 31 14:00:05 node-1 keystone-all {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}

while I can connect to server with ldapsearch

Tags: ldap
Revision history for this message
Brant Knudson (blk-u) wrote :

This might have something to do with oslo.config doing replacement.

Revision history for this message
Dolph Mathews (dolph) wrote :

Brant: can we opt out of that behavior?

tags: added: ldap
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Boris Bobrov (bbobrov) wrote :

This is because of oslo_config's option value interpolation:
http://docs.openstack.org/developer/oslo.config/cfg.html#option-value-interpolation

This can be overriden by using $$ instead of $, but it would be great to mark some options as not using the interpolation.

Revision history for this message
Brant Knudson (blk-u) wrote :

Dolph - no opt out as far as I know although it seems like it would be useful to be able to. That change wouldn't be backwards-compatible so would probably have to go through a deprecation period or have a config to switch.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

You can use a \$ to prevent the expansion like so "Pa\$\$w0rd" or using $$ like so "pas$$$$w0rd"

Thanks,
dims

Changed in oslo.config:
status: New → Won't Fix
Revision history for this message
Vasyl Saienko (vsaienko) wrote :

Good to know. I think it would be helpful if debug shows warning or even error when special character without is used without shielding.

Revision history for this message
Dolph Mathews (dolph) wrote :

Why would anyone want variable substitution in a password field? It seems like we should be able to flag certain fields as literals to completely disallow substitution.

Kent Wang (k.wang)
Changed in keystone:
assignee: nobody → Kent Wang (k.wang)
Revision history for this message
Boris Bobrov (bbobrov) wrote :

I'm marking this as invalid for keystone since it affects all components that use oslo_config.

Changed in keystone:
status: Triaged → Invalid
Revision history for this message
Nikita Koshikov (nkoshikov) wrote :

Also keystone have troubles working with passwords that contains equal sign '='.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.