LDAP Passwords are not quoted in rendered configs

Bug #1688196 reported by James Hebden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone LDAP integration
Triaged
Medium
Unassigned

Bug Description

When adding passwords which use special, non-ASCII characters, the keystone-ldap charm will render them in-place without quoting in the per-domain keystone configuration files. This can, if the right characters are in included in the password, cause keystone to not be able to start.

James Hebden (ec0)
tags: added: canonical-bootstack
Revision history for this message
James Page (james-page) wrote :

I can see how that would be a problem; presumably some basic quoting in the configuration file is supported by oslo.config so we could just always do that.

Changed in charm-keystone-ldap:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Vern Hart (vern) wrote :

I've run into this again.

In my case I have a dollar sign ($) in the customer supplied password.

When running hooks, I get "Internal Server Error (HTTP 500)" and when I check /var/log/apache2/keystone_error.log I see a long trace ending with:

  2022-10-14 11:19:00.295900 oslo_config.cfg.NoSuchOptError: no such option barbaz in group [DEFAULT]

Where "foo$barbaz" is the password.

I've tried quoting the password by hand-editing /etc/keystone/domains/keystone.LDAP.conf but it still gives the above error. I tried single quotes and double quotes, separately and together.

What finally worked was adding a backslash in front of the dollar sign (even without quotes).

I suspect the config parser is trying to resolve it as some kind of variable expansion without the backslash.

Getting the backslash into the config variable isn't too difficult. Here's one way:

  juju config keystone-ldap ldap-password='foo\$barbaz'

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.