Comment 11 for bug 1355489

Reviewed: https://review.openstack.org/119578
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=25cbcf5c8ab68c2805d6cf4f2ddaa77ac0f2ca22
Submitter: Jenkins
Branch: stable/icehouse

commit 25cbcf5c8ab68c2805d6cf4f2ddaa77ac0f2ca22
Author: Nathan Kinder <email address hidden>
Date: Fri Sep 5 07:25:21 2014 -0700

    Avoid conversion of binary LDAP values

    A few of the LDAP searches performed in the identity and assignment
    LDAP drivers do not specify the list of attributes to return, which
    causes all attributes present in the LDAP entry to be returned. We
    attempt to convery these values from utf8 to unicode, which fails
    when we encounter a binary value. This patch addresses this problem
    in two ways.

    The first is to only request the attributes that we actually need
    returned from the LDAP server. This avoids potential binary values
    that we do not even need to be concerned with.

    The second thing this patch does is to make our conversion code
    more tolerant by ignoring attributes that contain binary values. If
    a binary value is present, we simply skip over that attribute in
    the conversion and log a debug message. We should not be encounting
    binary values in a typical Keystone deployment, but this gives us
    some protection just in case we do encounter a binary value.

    Conflicts:
            keystone/assignment/backends/ldap.py
            keystone/identity/backends/ldap.py

    Closes-bug: #1355489
    Change-Id: I62325ab9c75bac67cca329fb7bd3c74aea7d2867
    (cherry picked from commit 940551c6bdd1477574c1dee165efe75366343bd7)