Ask Your Question
0

can't retrieve users and groups from MS AD with keystone integration

asked 2017-06-26 20:22:23 -0500

edsonh gravatar image

Hi, I'm knew with openstack. I've installed Ocata openstack over CentOs, seams it's working. Now I'm trying to configure integration with our internal/std Directory Service (Microsoft AD, 2003 level).. I've tried to follow the links: http://redhat.slides.com/mlopes/integrate-active-directory-with-openstack-keystone#/11 (http://redhat.slides.com/mlopes/integ...) https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html (https://docs.openstack.org/admin-guid...). I'm able to log on Horizon dashaboard with local users and default domain.. but I'm not able to login with MS AD related user (because I can't retrieve user/group from AD in order to get right to them in the openstack recently created domain ). If I invoke "openstak users list --domain <mydomainname config="" configure="" domains="" etc="" file="" in="" keystone="" special="" under=""> it doesn't return nothing to me.. same thing with openstack group list --domain <myadomainname></myadomainname></mydomainname>

I'm not seeing too mutch critical alarms at keyston.log:

=====================

*2017-06-26 22:03:03.229 13078 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0 2017-06-26 22:03:16.547 535 INFO keystone.common.wsgi [req-20c076da-ea48-4c0f-a58c-ad900676d407 - - - - -] GET http://dcprd052113:5000/v3/ 2017-06-26 22:03:16.561 534 INFO keystone.common.wsgi [req-4d5e9f99-fc59-4ef9-8073-e450f3663c93 - - - - -] POST http://dcprd052113:5000/v3/auth/tokens 2017-06-26 22:03:16.754 535 INFO keystone.common.wsgi [req-5f27825d-b427-42e0-a4b5-a874cef6b92d - - - - -] POST http://dcprd052113:5000/v3/auth/tokens 2017-06-26 22:03:16.949 532 INFO keystone.common.wsgi [req-619b7702-37b7-43e4-bf36-1ad4fecbcfe2 - - - - -] GET http://dcprd052113:35357/v3/ 2017-06-26 22:03:17.057 533 INFO keystone.common.wsgi [req-c63a30f3-482a-448b-b4ef-e6461fd2643e 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/domains/wegnet 2017-06-26 22:03:17.061 533 WARNING keystone.common.wsgi [req-c63a30f3-482a-448b-b4ef-e6461fd2643e 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] Could not find domain: wegnet. 2017-06-26 22:03:17.200 532 INFO keystone.common.wsgi [req-9eb6211c-1b41-443c-9da5-84f953d1e459 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/domains/wegnet 2017-06-26 22:03:17.204 532 WARNING keystone.common.wsgi [req-9eb6211c-1b41-443c-9da5-84f953d1e459 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] Could not find domain: wegnet. 2017-06-26 22:03:17.303 533 INFO keystone.common.wsgi [req-9d9ba15b-1eae-4da7-88c5-222db59f39b4 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/domains?name=wegnet 2017-06-26 22:03:17.415 532 INFO keystone.common.wsgi [req-fa45fef2-1fb5-440d-a4c7-453ccaaafbab 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/users?domain_id=a1b7a20a645b4f869eaaf17723363a69*

========================================

here is my /etc/keystone/domains/keystone.wegnet.conf file:

=======================================

[ldap]
url                  = ldap://brjgs109.weg.net
user                  = "CN=sys-openstack,OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net"
password                 = <user sys-openstack password - strong one>
suffix                   = DC=weg,DC=net
user_tree_dn             = "OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net"
user_objectclass         = IntOrgPerson
user_filter                  = (memberof="CN=GL_OpenStack,OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net")
user_id_attribute        = cn
user_name_attribute      = sn
user_mail_attribute      = mail
user_pass_attribute      = userPassword
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    =
user_allow_create        = False
user_allow_update        = False
user_allow_delete        = False
group_objectclass        = groupOfNames
group_tree_dn            = "OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net"
group_filter             = (CN=GL_OpenStack)
group_id_attribute       = cn
group_name_attribute     = ou
group_member_attribute   = member ...
(more)
edit retag flag offensive close merge delete

Comments

How did you enable the LDAP domain? Try keystone-manage domain_config_upload --domain-name wegnet (deprecated)

eblock gravatar imageeblock ( 2017-06-27 02:02:18 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-06-27 06:34:02 -0500

edsonh gravatar image

updated 2017-06-28 14:07:16 -0500

Hi, @eblock, I did not. tkx for the commando. in fact, I've just done as you recommended, and it was a trick..it doesn't reconnize some options inside the specific domain file - I saw that on keystone.log (so, i've commented the options complainned, inside the file ,and it goes..), now I'm in another step of trouble..

[root@dcprd052113 ~(keystone_admin)]# openstack user list --domain wegnet

**An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-16832861-f728-4632-a641-28fd9d421e6a)**

=== And also, after I'd restart httpd, I'm not able to loggin as default domain and normal admin user..

2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi     opt_info['opt'], override, enforce_type)
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2616, in _get_enforced_type_value
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi     converted = self._convert_value(value, opt)
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2901, in _convert_value
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi     return opt.type(value)
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/oslo_config/types.py", line 235, in __call__
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi     raise ValueError('Unexpected boolean value %r' % value)
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi ValueError: Unexpected boolean value u''
2017-06-27 08:43:08.104 31685 ERROR keystone.common.wsgi

============================================================================= ==================@eblock: Here is the keystone.conf ============================ ======command: egrep -ve "^#|^$" /etc/keystone/keystone.conf=====================

[DEFAULT] admin_token = ca5b331a738746b2940a5e3109699e73 log_dir = /var/log/keystone rpc_backend = rabbit public_bind_host=0.0.0.0 admin_bind_host=0.0.0.0 public_port=5000 admin_port=35357 [assignment] [auth] [cache] [catalog] template_file = /etc/keystone/default_catalog.templates driver = sql [cors] [cors.subdomain] [credential] key_repository = /etc/keystone/credential-keys/ [database] connection = mysql+pymysql://keystone_admin:<xyzpassword>@127.0.0.1/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] admin_workers=2 public_workers=2 [federation] [fernet_tokens] key_repository = /etc/keystone/fernet-keys max_active_keys = 20 [healthcheck] [identity] domain_specific_drivers_enabled = true domain_configurations_from_database = true domain_config_dir = /etc/keystone/domains [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [profiler] [resource] [revoke] [role] [saml] [security_compliance] [shadow_users] [signing] [token] expiration = 3600 provider = fernet driver = sql revoke_by_id = True [tokenless_auth] [trust] [ssl] enable = False

edit flag offensive delete link more

Comments

Could you paste the whole keystone.conf?

control1:~ #  egrep -ve "^#|^$" /etc/keystone/keystone.conf
eblock gravatar imageeblock ( 2017-06-28 02:59:31 -0500 )edit

hi, I've put it .. (don't know why this thread doesn't let me create more than one answer..)..

edsonh gravatar imageedsonh ( 2017-06-28 14:08:21 -0500 )edit

Also, If I disable the domain_specific_drivers_enabled , I'm able to logging back with the normal local openstack users..

edsonh gravatar imageedsonh ( 2017-06-28 14:09:38 -0500 )edit

I have a Mitaka environment, the configs are probably not the same, but I additionally set these values:

[assignment]
driver = sql
[identity]
driver = sql
[resource]
driver = sql
[revoke]
driver = sql
[role]
driver = sql
eblock gravatar imageeblock ( 2017-06-29 03:09:37 -0500 )edit

AFAIK, you don't need to answer your own question, you can just edit your question. I'm not sure if you need all of these option I set, but they work for me, so I won't change them ;-)

eblock gravatar imageeblock ( 2017-06-29 03:11:34 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-06-26 20:22:23 -0500

Seen: 283 times

Last updated: Jun 28 '17