3 files changed, 33 insertions, 3 deletions

diff --git a/.zuul.yaml b/.zuul.yaml
index 9e39b771e..ad02d9a87 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -33,6 +33,14 @@
         USE_PYTHON3: True
 
 - job:
+    name: keystone-dsvm-py3-functional-fips
+    parent: keystone-dsvm-py3-functional
+    nodeset: devstack-single-node-centos-8-stream
+    description: |
+      Functional testing for a FIPS enabled Centos 8 system
+    pre-run: playbooks/enable-fips.yaml
+
+- job:
     name: keystone-dsvm-functional-federation-opensuse15
     parent: keystone-dsvm-functional
     nodeset: devstack-single-node-opensuse-15
@@ -195,7 +203,7 @@
 - project:
     templates:
       - openstack-cover-jobs
-      - openstack-python3-victoria-jobs
+      - openstack-python3-wallaby-jobs
       - publish-openstack-docs-pti
       - periodic-stable-jobs
       - check-requirements
@@ -212,6 +220,9 @@
               - ^etc/.*$
               - ^keystone/tests/unit/.*$
               - ^releasenotes/.*$
+        - keystone-dsvm-py3-functional-fips:
+            voting: false
+            irrelevant-files: *irrelevant-files
         - keystone-dsvm-py3-functional-federation-ubuntu-focal:
             voting: false
             irrelevant-files: *irrelevant-files
diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py
index 4af42de29..1033a4efd 100644
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@@ -1401,9 +1401,24 @@ class BaseLdap(object):
                 pass
             else:
                 try:
-                    obj[k] = v[0]
+                    value = v[0]
                 except IndexError:
-                    obj[k] = None
+                    value = None
+
+                # NOTE(xek): Some LDAP servers return bytes data type
+                # We convert it to string here, so that it is consistent with
+                # the other (SQL) backends.
+                # Bytes data type caused issues in the past, because it could
+                # be cached and then passed into str() method to be used as
+                # LDAP filters, which results in an unexpected b'...' prefix.
+                if isinstance(value, bytes):
+                    try:
+                        value = value.decode('utf-8')
+                    except UnicodeDecodeError:
+                        LOG.error("Error decoding value %r (object id %r).",
+                                  value, res[0])
+                        raise
+                obj[k] = value
 
         return obj
 
diff --git a/playbooks/enable-fips.yaml b/playbooks/enable-fips.yaml
new file mode 100644
index 000000000..c8f042dba
--- /dev/null
+++ b/playbooks/enable-fips.yaml
@@ -0,0 +1,4 @@
+- hosts: all
+  tasks:
+    - include_role:
+        name: enable-fips