OpenStack Keystone LDAP integration

  1. Bug #1832265
  2. Comment #14

Comment 14 for bug 1832265

Revision history for this message
Drew Freiberger (afreiberger) wrote : Re: keystone LDAP integration in rocky not working for RBAC rules or token auth

  - Attempted to hack in the fix suggested by seyeong to cleanup byte-encoded strings, but
    getting only half fixed responses. half the actions still fail, I think this is because I placed
    this into attempt_convert_uuid_hex_to_bytes, rather than convert_uuid_hex_to_bytes.
    https://github.com/openstack/keystone/blob/master/keystone/token/token_formatters.py#L314,
  - It looks like there are a couple of contexts for assembling tokens
    that have domain_id being encapsulated through a different function,
    which may be part of the issue.
  - Dug through the ldap backend and found that there is a function that
    is supposed to take all the byte-coded data from ldap and turn it
    into strings and such for python usage:
    https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L146
  - Tossing in debugging in this section of the code has resulted in
    showing everything coming out of the ldap result is pulled into
    python with proper formatting as all the variables get strained
    through a utf8_decode process when returned from ldap, so the issue
    is not in the ldap query response mangling.
    https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L86
  - This leads me to believe the issue actually lies either in the
    database or in the code generating the tokens, which is why I'm most
    interested in the assemble routines in token/token_formatters.py.