Ask Your Question
1

AD/ldap in keystone non-default domain only for users

asked 2017-03-28 17:36:00 -0600

jamesopst gravatar image

updated 2017-03-30 09:49:04 -0600

Hi, I have a Fuel deployed Liberty environment. I would like to leave the service users in SQL/default domain and just authenticate regular users (not yet created) via my company's Active Directory via LDAP.

ive been trying and trying. Trying to make heads or tails of the many slightly different guides out there, and now I can't tell what I should or shouldn't follow.

at this point something is broken to the point that I can't even get to the Horizon UI webpage. I get: 500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.

I can backout all the changes I've made but hope you guys can direct me. There is another similar question asked on this forum but there was no final answer given.

I have /etc/keystone/keystone.conf configure as such:

[identity]
domain_specific_drivers_enabled = true
domain_config_dir = /etc/keystone/domains
driver = sql
[assignment]
driver = sql

I have /etc/keystone/domains/keystone.companyDOM.conf configured as such:

[identity]
  driver = ldap

[ldap]
  url = ldap://domainCTRLR
  user = CN=DOMuser,CN=sAMAccountName,OU=Corp,DC=companyDOM,DC=com
  password = DOMuserpass
  suffix = DC=companyDOM,DC=com
  objectClass=user
  user_tree_dn = ou=corp,dc=companyDOM,dc=com
  user_id_attribute = sAMAccountName
  user_name_attribute = sAMAccountName

I have /etc/openstack-dashboard/local_settings.py configured as such:

 OPENSTACK_API_VERSIONS = {
     "identity": 3
 }
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'companyDOM'

I have this ENV set

declare -x CINDER_ENDPOINT_TYPE="internalURL"
declare -x GLANCE_ENDPOINT_TYPE="internalURL"
declare -x KEYSTONE_ENDPOINT_TYPE="internalURL"
declare -x MURANO_REPO_URL="http://storage.apps.openstack.org/"
declare -x NEUTRON_ENDPOINT_TYPE="internalURL"
declare -x NOVA_ENDPOINT_TYPE="internalURL"
declare -x OS_AUTH_STRATEGY="keystone"
declare -x OS_AUTH_URL="http://192.168.0.2:5000/v3/"
declare -x OS_DEFAULT_DOMAIN="default"
declare -x OS_ENDPOINT_TYPE="internalURL"
declare -x OS_IDENTITY_API_VERSION="3"
declare -x OS_NO_CACHE="true"
declare -x OS_PASSWORD="adminpass"
declare -x OS_PROJECT_DOMAIN_NAME="Default"
declare -x OS_PROJECT_NAME="COMPANYCLOUD"
declare -x OS_REGION_NAME="RegionOne"
declare -x OS_TENANT_NAME="COMPANYCLOUD"
declare -x OS_URL="http://192.168.0.2:35357/v3"
declare -x OS_USERNAME="admin"
declare -x OS_USER_DOMAIN_NAME="Default"

I used "service apache2 restart" to restart keystone

Furthermore if I run user list I get the below error

openstack user list --os-username admin --os-domain-name companyDOM
The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-613ec964-911d-4e94-a727-45c974416d10)

OR sometimes I get

openstack user list
 An unexpected error prevented the server from fulfilling your request: Failed to parse /etc/keystone/domains/keystone.companyDOM.conf: at /etc/keystone/domains/keystone.companyDOM.conf:2, Unexpected continuation line: '  driver = ldap' (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-23eebce2-1df0-42e5-b193-47d5ffa6e139)

The only thing that looks amiss in the keystone logs is:

2017-03-28 18:29:48.560 193672 DEBUG keystone.middleware.core [req-5d903af8-4267-4ed6-b556-307903cf649f - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/core.py:310

Please let me know any ideas or what else you need to debug, I will be happy to post more info!

edit retag flag offensive close merge delete

Comments

i've been wondering if this could be because keystone is now using API=v3 and all the other components are using v2. could this be? and if so, how do I approach changing across all components? (will this break Fuel deployment of nodes in the future?

jamesopst gravatar imagejamesopst ( 2017-04-06 09:34:02 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-07-20 15:31:24 -0600

jamesopst gravatar image

this question was on Liberty. when I tried this in Newton I asked this question again, and eventually answered it too: https://ask.openstack.org/en/question...

it may be possible to use the steps I doc'd for Newton in Liberty ??

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2017-03-28 17:36:00 -0600

Seen: 348 times

Last updated: Jul 20 '17