Ask Your Question
0

unable to login horizon with LDAP

asked 2017-01-22 10:04:11 -0600

ooahjan gravatar image
 hello,

I have installed RDO Newton on CentOS 7.3 and attempted to enable LDAP in keystone. Typical ldapsearch is successful but not via Horizon. This is an OpenLDAP server, not Active Directory. Did I make a mistake in my configuration?

--------------------------------------------------------
ldapsearch -x -b 'dc=example,dc=com' "uid=testuser"

dn: uid=testuser,ou=people,dc=example,dc=com
cn: Test User
sn: Test User
givenName: Test
uid: testuser
preferredLanguage: en_US
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
homeDirectory: /home/testuser
gecos: Test user
loginShell: /bin/bash
uidNumber: 1101
gidNumber: 1101
displayName: Test user
--------------------------------------------------------


--------------------------------------------------------
keystone.conf

[identity]
driver = ldap

url = ldap://ldap.example.com
user = cn=Manager,dc=example,dc=com
password = ****************
suffix = dc=example,dc=com

user_enabled_emulation = True
user_enabled_emulation_dn = ou=people,dc=example,dc=com

user_tree_dn = ou=people,dc=example,dc=com
user_objectclass = posixAccount
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_attribute = enabled

group_tree_dn = ou=ostack,dc=example,dc=com
group_objectclass = posixGroup
group_id_attribute = gidNumber
group_name_attribute = cn
group_member_attribute = memberUid
group_desc_attribute = description
role_allow_create = false
role_allow_update = false
role_allow_delete = false

--------------------------------------------------------
--------------------------------------------------------

attempts to login from Horizon

INFO keystone.common.wsgi [req-d56628a6-5bfc-48b8-893d-c306c8764370 - - - - -] POST http://10.10.30.30:5000/v3/auth/tokens
WARNING keystone.auth.plugins.core [req-d56628a6-5bfc-48b8-893d-c306c8764370 - - - - -] User is disabled: testuser
WARNING keystone.common.wsgi [req-d56628a6-5bfc-48b8-893d-c306c8764370 - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.30.30

--------------------------------------------------------


openstack-status

== Nova services ==
openstack-nova-api:                     active
openstack-nova-compute:                 active
openstack-nova-network:                 inactive  (disabled on boot)
openstack-nova-scheduler:               active
openstack-nova-cert:                    active
openstack-nova-conductor:               active
openstack-nova-console:                 inactive  (disabled on boot)
openstack-nova-consoleauth:             active
openstack-nova-xvpvncproxy:             inactive  (disabled on boot)
== Glance services ==
openstack-glance-api:                   active
openstack-glance-registry:              active
== Keystone service ==
openstack-keystone:                     inactive  (disabled on boot)
== Horizon service ==
openstack-dashboard:                    active
== neutron services ==
neutron-server:                         active
neutron-dhcp-agent:                     active
neutron-l3-agent:                       active
neutron-metadata-agent:                 active
neutron-openvswitch-agent:              active
neutron-metering-agent:                 active
== Support services ==
mariadb:                                active
openvswitch:                            active
dbus:                                   active
rabbitmq-server:                        active
memcached:                              active
== Keystone users ==
/usr/bin/openstack-status: line 267: keystone: command not found
== Glance images ==
The request you have made requires authentication. (HTTP 401) (Request-ID: req-aa390d08-1c93-49cc-9a1e-9a3dd99fccef)
== Nova managed services ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-237f8990-1246-49ef-9371-759e6f3857eb)
== Nova networks ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-2f536802-2bf7-41cc-b15d-aef1c9458496)
== Nova instance flavors ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-e4893f5f-d6f2-49cf-b260-2097ccdd2574)
== Nova instances ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-1a58d5f0-2a1e-4f0f-bb27-7f4d00bd1ad9)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2017-12-21 10:13:06 -0600

cdev3 gravatar image

You have to add that user from the LDAP domain as a member of the project you want to login to.

$ openstack domain list
+----------------------------------+-------------+---------+-----------------------------------------+
| ID                               | Name        | Enabled | Description                             |
+----------------------------------+-------------+---------+-----------------------------------------+
| 2c97596e3dd74f0ab40fdf2f1f0d67e9 | heat        | True    | Owns users and projects created by heat |
| a4dd02708e7d4dbc8c6eba0646371728 | otherdomain | True    | Dedicated MS/AD domain for  testing     |
| default                          | Default     | True    | The default domain                      |
+----------------------------------+-------------+---------+-----------------------------------------+


$ openstack user show testos --domain otherdomain
+-------------+------------------------------------------------------------------+
| Field       | Value                                                            |
+-------------+------------------------------------------------------------------+
| description | User in other domain                                             |
| domain_id   | a4dd02708e7d4dbc8c6eba0646371728                                 |
| email       | Testos@tst.local                                                 |
| enabled     | True                                                             |
| id          | 6d8e05e297d3d6136df8dcd404c5e1cd43ccd557a56453cfb87636c73022c9fa |
| name        | testos                                                           |
+-------------+------------------------------------------------------------------+


$ openstack role list
+----------------------------------+---------------------------+
| ID                               | Name                      |
+----------------------------------+---------------------------+
| 0363e1996c1842b2aa40e158010d84f2 | key-manager:creator       |
...
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_                  |
...
| e7ae3d9624194b6a94bf1e932dea7fdb | testosrole                |
| e9513270253140ec9b58599b53a18381 | designate_admin           |

+----------------------------------+---------------------------+

$ openstack role add --project testproj --user 6d8e05e297d3d6136df8dcd404c5e1cd43ccd557a56453cfb87636c73022c9fa  _member
$ openstack role assignment list --user  6d8e05e297d3d6136df8dcd404c5e1cd43ccd557a56453cfb87636c73022c9fa --domain SUSEL3
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+-----------+
| Role                             | User                                                             | Group | Project | Domain                           | Inherited |
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 6d8e05e297d3d6136df8dcd404c5e1cd43ccd557a56453cfb87636c73022c9fa |       |         | a4dd02708e7d4dbc8c6eba0646371728 | False     |
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+-----------+
edit flag offensive delete link more
0

answered 2017-03-10 05:53:34 -0600

Tiago Batista gravatar image

Hello,

I tried something similar some time ago. If I remember it correctly, there is a configuration key that reverses the way openstack interprets the enabled field.

Looking at a part of https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html (https://docs.openstack.org/admin-guid...)

 [ldap]
user_id_attribute      = cn
user_name_attribute    = sn
user_mail_attribute    = mail
user_pass_attribute    = userPassword
user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_invert    = false
user_enabled_default   = 512
user_default_project_id_attribute =
user_additional_attribute_mapping =

group_id_attribute     = cn
group_name_attribute   = ou
group_member_attribute = member
group_desc_attribute   = description
group_additional_attribute_mapping =

try playing with the value of user_enabled_invert.

I quit my experience when I logged in with an ldap user but figured out I had no access to any projects. If you figure ou how to cross that bridge please tell me!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2017-01-22 10:04:11 -0600

Seen: 664 times

Last updated: Mar 10 '17