Attempting to update LDAP user causes internal server error

[sergio97]

This happens as both a user changing their own password and as an admin resetting a user's password. I haven't tested admin updating a user other than password yet, but I bet it's the same. Keystone logs this stacktrace:

2014-09-05 17:57:25.623 445821 ERROR keystone.common.wsgi [-] 'User' object has no attribute 'to_dict'
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 212, in call
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi result = method(context, *_params)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 239, in set_user_password
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi return self.update_user(context, user_id, user)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 185, in update_user
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi self.identity_api.update_user(user_id, user))
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/notifications.py", line 74, in wrapper
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi result = f(_args, *_kwargs)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi return f(self, *args, *_kwargs)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 351, in update_user
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi ref = driver.update_user(user_id, user)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 392, in wrapper
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi return method(_args, *_kwargs)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 164, in update_user
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi old_user_dict = user_ref.to_dict()
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi AttributeError: 'User' object has no attribute 'to_dict'
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi
An unexpected error prevented the server from fulfilling your request. (HTTP 500)

The problem is the driver sql calls our _get_user() which returns a user already in dict format because it came from LDAP:
user_ref = self._get_user(session, user_id)
On the line after that it calls:
old_user_dict = user_ref.to_dict()
which causes the problem.
I think the correct solution is to write an update_user() function that then calls update_user() in the LDAP or SQL backend accordingly. Thoughts?

With the normal LDAP driver it returns "You are not authorized to perform the requested action, LDAP user update. (HTTP 403)"

[iartarisi]

I'll take this as a feature request to add support for the update_user operation for LDAP users.

The reason this isn't supported yet is simply that we haven't had a need for it, yet. So we haven't tested it either. (And I actually don't have access to an LDAP server with write access).

I'm tempted to add a simple Not Supported message just to get rid of the 500.

[sergio97]

I can implement this once I have time, but it will probably be 6 weeks or so until I do. No worries :) In the mean time if anyone else is willing to work on this I can help guide you.

[cuongnguyenvan]

i have also this problem. Is there a way to fix them?

[sergio97]

I haven't written the fix yet. I don't know of anyone else that has.

[cuongnguyenvan]

Hi sergio97. Hi everyone. When i show users by "keystone user-list", the result is:
| id | name | enabled | email |
+----------------------------------+------------------------+---------+----------------------------------+
| fecfcaf7f01846b3b2d617b4c0105ed9 | ChungNK | True | [email protected]
922989cb37fb43379fcea6da3c360b89 | bosap196 | True | [email protected]
Problem is the column "enabled" always show True even it False. I updated False but it still show True. I don't know why?
i update by "keystone user-update 922989cb37fb43379fcea6da3c360b89 --enabled False", the result nothing changes

[sergio97]

cuongnguyenvan, when I try this in my environment I get the same error. This is expected.

[sergio97]

If you mean you tried to update an SQL user and it failed, that's a problem!
Using the hybrid driver I am able to disable and enable SQL users with no trouble.

[cuongnguyenvan]

I have configured hybird driver:
[assignment]
driver=keystone.assignment.backends.sql.Assignment
[identity]
driver=keystone.identity.backends.ldap.Identity

I want to use Ldap for identity. But can not seem to update True / False user :(

[sergio97]

Based on that configuration, you're using the LDAP identity backend, not the hybrid one.
You should ask your question on the openstack IRC channel. https://wiki.openstack.org/wiki/IRC

[ctolley]

In a similar issue-
Update against sql user is ok:
# keystone user-update --enabled true ctolley
User has been updated.
Update against ldap user fails:
# keystone user-update --enabled false rtolley
Unable to update user: An unexpected error prevented the server from fulfilling your request. 'User' object has no attribute 'to_dict' (HTTP 500)

Identity is set to hybrid

edit (to add comment)- lookup operations work fine (user-get, user-list)