Fix issue with LDAP backend returning bytes instead of string

When connecting to some LDAP server software, the ldap client returns
bytes instances instead of the expected strings. This can result in
either being transparently converted to strings, when the data is
inserted via sqlalchemy into the database, or could be used as
input to other functions, and/or cached, which causes unexpected
results.

Closes-Bug: #1952458
Resolves: rhbz#1964872
Change-Id: I77148641715efe09e3adc2e9432e66e50fb444b4
(cherry picked from commit 1e0cd90191663c100c165d4c6a2b1ca796b5af25)

1 files changed, 17 insertions, 2 deletions

diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py
index d4cdda845..dc6a0010b 100644
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@@ -1400,9 +1400,24 @@ class BaseLdap(object):
                 pass
             else:
                 try:
-                    obj[k] = v[0]
+                    value = v[0]
                 except IndexError:
-                    obj[k] = None
+                    value = None
+
+                # NOTE(xek): Some LDAP servers return bytes data type
+                # We convert it to string here, so that it is consistent with
+                # the other (SQL) backends.
+                # Bytes data type caused issues in the past, because it could
+                # be cached and then passed into str() method to be used as
+                # LDAP filters, which results in an unexpected b'...' prefix.
+                if isinstance(value, bytes):
+                    try:
+                        value = value.decode('utf-8')
+                    except UnicodeDecodeError:
+                        LOG.error("Error decoding value %r (object id %r).",
+                                  value, res[0])
+                        raise
+                obj[k] = value
 
         return obj