OpenStack Keystone LDAP integration

Bug #1832265
Comment #11

Comment 11 for bug 1832265

Revision history for this message

Drew Freiberger (afreiberger) wrote on 2019-06-11: Re: keystone LDAP integration in rocky not working for RBAC rules or token auth

#11

Taking a cue from def disassemble, I added in an exception handler for this binary_type user_id validation in (keystone.identity.backends.ldap.core). This appears to resolve the LDAP access issues within horizon as far as I'm able to tell. Basically, this is handling any call to the ldap UserApi subclass call for self.user.get(*attribute), to check for byte-encoded values coming from the ldap backend and strip them.

/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/core.py diff:

*** a/core.py 2019-06-11 20:29:23.148303839 +0000
--- b/core.py 2019-06-11 20:27:23.854658160 +0000
*************** class UserApi(common_ldap.EnabledEmuMixI
*** 308,313 ****
--- 308,318 ----
      def get(self, user_id, ldap_filter=None):
          obj = super(UserApi, self).get(user_id, ldap_filter=ldap_filter)
          obj['options'] = {} # options always empty
+
+ # lp#1832265
+ if six.PY3 and isinstance(obj, six.binary_type):
+ obj = obj.decode('utf-8')
+
          return obj

def get_filtered(self, user_id):