LDAP Passwords are not quoted in rendered configs

I can see how that would be a problem; presumably some basic quoting in the configuration file is supported by oslo.config so we could just always do that.

I've run into this again.

In my case I have a dollar sign ($) in the customer supplied password.

When running hooks, I get "Internal Server Error (HTTP 500)" and when I check /var/log/apache2/keystone_error.log I see a long trace ending with:

  2022-10-14 11:19:00.295900 oslo_config.cfg.NoSuchOptError: no such option barbaz in group [DEFAULT]

Where "foo$barbaz" is the password.

I've tried quoting the password by hand-editing /etc/keystone/domains/keystone.LDAP.conf but it still gives the above error. I tried single quotes and double quotes, separately and together.

What finally worked was adding a backslash in front of the dollar sign (even without quotes).

I suspect the config parser is trying to resolve it as some kind of variable expansion without the backslash.

Getting the backslash into the config variable isn't too difficult. Here's one way:

  juju config keystone-ldap ldap-password='foo\$barbaz'