OpenStack Identity (keystone)

  1. Bug #1850634
  2. Comment #0

Comment 0 for bug 1850634

Revision history for this message
Corey Bryant (corey.bryant) wrote : stable/queens regresion - _dn_to_id() should still be using utf8_encode/utf8_decode in queens

There's a regression in the LDAP common backend code due to a recent stable/queens backport that shouldn't have been backported past stable/rocky.

The following patch shouldn't have been backported to stable/queens:
https://review.opendev.org/#/c/672519/

The reason why is because the following patch, which switched to bytes_mode=False, doesn't exist in stable/queens:
https://review.opendev.org/#/c/613648/
In particular see the changes to _dn_to_id() in https://review.opendev.org/#/c/613648/4/keystone/identity/backends/ldap/common.py.

Those changes didn't happen in stable/queens so _dn_to_id should still be UTF-8 encoding/decoding the appropriate fields. In other words it should still be using the following in stable/queens:

    def _dn_to_id(self, dn):
        # Check if the naming attribute in the DN is the same as keystone's
        # configured 'id' attribute'. If so, extract the ID value from the DN
        if self.id_attr == utf8_decode(
                ldap.dn.str2dn(utf8_encode(dn))[0][0][0].lower()):
            return utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1])