Ask Your Question

authentication with LDAP error

asked 2017-07-08 19:16:59 -0500

daniel hernandez gravatar image

updated 2017-07-08 20:45:07 -0500

Hi there,

I am configured Mitaka with LDAP authentication but I get below error after command "openstack user list --domain DANNISIS":

An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-2aa61594-7b95-4bc0-b7d1-bb2231f8fa26)

I checked my WinAdServer with tool, it is OK. I checked in Keystone.log the first error detected is:

WARNING keystone.common.wsgi Could not find domain: DANNISIS

I attached file configuration, please give some suggestion. I browsed several pages but no find any workaround.C:\fakepath\remote accesso to AD.JPG

my keystone_DANNISIS_conf is

url                      = ldaps://
user                     = CN=svc-ldap,CN=Users,DC=dannisis,DC=com
password                 = Asdewq1@3
suffix                   = DC=dannisis,DC=com
user_tree_dn             = CN=Users,DC=dannisis,DC=com
user_objectclass         = person
user_filter              = (memberOf=cn=grp-openstack,CN=Users,DC=dannisis,DC=com)
user_id_attribute        = sAMAccountName
user_name_attribute      = sAMAccountName
user_mail_attribute      = mail
user_pass_attribute      =
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    = password,tenant_id,tenants
user_allow_create        = False
user_allow_update        = False
user_allow_delete        = False
use_tls                  = False
tls_cacertfile           = /etc/ssl/certs/MyCertificate.crt
query_scope              = sub
chase_referrals          = false
driver                   = keystone.identity.backends.ldap.Identity

thanks in advance

edit retag flag offensive close merge delete


The file needs to be named keystone.DANNISIS.conf (dots, not underscores) and needs to reside in the configured domain_config_dir.

AFAIK you need to create the domain as well: openstack domain create DANNISIS.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-08 20:55:24 -0500 )edit

An easy to read intro at IBM:

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-08 20:56:51 -0500 )edit

Hi Bernd, none of then is the issue, I have configured with point, during FTP points changed. Here below is my config path and file:




/etc/keystone/domains [root@controller domains]# openstack domain list
509c............ | DANNISIS | True

daniel hernandez gravatar imagedaniel hernandez ( 2017-07-08 23:49:56 -0500 )edit

This makes me think that this error WARNING keystone.common.wsgi Could not find domain: DANNISIS is not related to your problem. Can you check the timestamp?

Indeed, we should expect "no such domain" instead of an http 500. Something else must be the matter.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-09 02:21:30 -0500 )edit

A suspicion: The screenshot shows the server name as ladp instead of ldap. Where is the name used, in the certificate perhaps? I guess Keystone doesn't get access.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-09 02:27:09 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2017-07-10 02:22:23 -0500

daniel hernandez gravatar image

I was able to login with AD user after deployed in AD certification authority and generate new certificate *.cer. export new certificate to controller node edit /etc/openldap/ldap.conf with path for *.crt certificate TLS_CACERTDIR /etc/ssl/certs

Also users from my AD server can login with its domain in Dashboard.

thanks Bernd for your suggestion and easy to read intro at IBM:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-07-08 19:16:59 -0500

Seen: 630 times

Last updated: Jul 10 '17