Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Hello

I run into same Errors, seems like the Documentation is there, but for a novice user it's hard to overcome the obvious problems.

I assume you have preconfigured the user, so in the SQL Database the Users have been entered with the User-ID, not the name. With that in mind, you see that your users, you try to login, have no rights. Also the service Users have no rights either.

There are two solution to this: 1. Recreate all the users even the service users with admin_token 2. Create Users and apply correct User ID's in Active Directory

But first you should decouple the Username form the User ID, change the following in your configuration:

user_name_attribute = cn to user_name_attribute = sAMAccountName

like this, you can use the normal Login name as in active Directory.

Now if you want to recreate all the users you have to use admin Token.

Look at http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html

Configure ADMIN_TOKEN in /etc/keystone/keystone.conf and use the export commands export OS_TOKEN=294a4c8a8a475f9b9836 export OS_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3

(Keep in mind, you shouldn't run the source command before, just open a new session to be sure)

then you can recreate all the services users.

But if you want to do the easier way, just change the CN of your services user in Active Directory

User Mysql on the Keystone Database to get all the ID's of the users:

mysql -uroot use keystone select id, name from user;

After changing the CN, restart the Keystone by useing service apache2 restart. Then you should be able to use LDAP Login.

Hope this helps someone else, as i had hours to solve this problem.

Regards: Daniel

Hello

I run into same Errors, seems like the Documentation is there, but for a novice user it's hard to overcome the obvious problems.

I assume you have preconfigured the user, so in the SQL Database the Users have been entered with the User-ID, not the name. With that in mind, you see that your users, you try to login, have no rights. Also the service Users have no rights either.

There are two solution to this: 1. Recreate all the users even the service users with admin_token 2. Create Users and apply correct User ID's in Active Directory

But first you should decouple the Username form the User ID, change the following in your configuration:

user_name_attribute = cn to user_name_attribute = sAMAccountName

like this, you can use the normal Login name as in active Directory.

Now if you want to recreate all the users you have to use admin Token.

Look at http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html

Configure ADMIN_TOKEN in /etc/keystone/keystone.conf and use the export commands

export OS_TOKEN=294a4c8a8a475f9b9836 OS_TOKEN=294a4c8a8a475f9b9836
export OS_URL=http://controller:35357/v3 OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

(Keep in mind, you shouldn't run the source command before, just open a new session to be sure)

then you can recreate all the services users.

But if you want to do the easier way, just change the CN of your services user in Active Directory

User Mysql on the Keystone Database to get all the ID's of the users:

mysql -uroot use keystone select id, name from user;

After changing the CN, restart the Keystone by useing service apache2 restart. Then you should be able to use LDAP Login.

Hope this helps someone else, as i had hours to solve this problem.

Regards: Daniel