A few of the LDAP searches performed in the identity and assignment
LDAP drivers do not specify the list of attributes to return, which
causes all attributes present in the LDAP entry to be returned. We
attempt to convery these values from utf8 to unicode, which fails
when we encounter a binary value. This patch addresses this problem
in two ways.
The first is to only request the attributes that we actually need
returned from the LDAP server. This avoids potential binary values
that we do not even need to be concerned with.
The second thing this patch does is to make our conversion code
more tolerant by ignoring attributes that contain binary values. If
a binary value is present, we simply skip over that attribute in
the conversion and log a debug message. We should not be encounting
binary values in a typical Keystone deployment, but this gives us
some protection just in case we do encounter a binary value.
Reviewed: https:/ /review. openstack. org/119578 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=25cbcf5c8ab 68c2805d6cf4f2d daa77ac0f2ca22
Committed: https:/
Submitter: Jenkins
Branch: stable/icehouse
commit 25cbcf5c8ab68c2 805d6cf4f2ddaa7 7ac0f2ca22
Author: Nathan Kinder <email address hidden>
Date: Fri Sep 5 07:25:21 2014 -0700
Avoid conversion of binary LDAP values
A few of the LDAP searches performed in the identity and assignment
LDAP drivers do not specify the list of attributes to return, which
causes all attributes present in the LDAP entry to be returned. We
attempt to convery these values from utf8 to unicode, which fails
when we encounter a binary value. This patch addresses this problem
in two ways.
The first is to only request the attributes that we actually need
returned from the LDAP server. This avoids potential binary values
that we do not even need to be concerned with.
The second thing this patch does is to make our conversion code
more tolerant by ignoring attributes that contain binary values. If
a binary value is present, we simply skip over that attribute in
the conversion and log a debug message. We should not be encounting
binary values in a typical Keystone deployment, but this gives us
some protection just in case we do encounter a binary value.
Conflicts:
keystone/ assignment/ backends/ ldap.py
keystone/ identity/ backends/ ldap.py
Closes-bug: #1355489 67cca329fb7bd3c 74aea7d2867 574c1dee165efe7 5366343bd7)
Change-Id: I62325ab9c75bac
(cherry picked from commit 940551c6bdd1477