Keystone: domain_specific_drivers_enabled not working with LDAP

asked 2017-07-20 13:46:37 -0500

azurepancake gravatar image

updated 2017-07-20 14:55:56 -0500

Hi,

I am running OpenStack Ocata provisioned using RDO Packstack.

I currently have Keystone configured to use a single identity backend which is LDAP. Everything works great with this configuration except Heat and Magnum. Through some troubleshooting, it appears the problem is that these services operate within their own domains ("heat" and "magnum" respectively). This results in errors like the below (in keystone.log) when trying to build a cluster with Magnum:

2017-07-20 11:12:22.509 7494 ERROR magnum.conductor.handlers.common.trust_manager Failed to create trustee and trust for Cluster
2017-07-20 11:12:22.509 7494 ERROR magnum.conductor.handlers.common.trust_manager NotFound: Could not find domain: f950f5d49d8f4acba4790113580a956f. (HTTP 404)

I also caught the below as well:

2017-07-20 10:32:24.122 20553 WARNING keystone.identity.core Found multiple domains being mapped to a driver that does not support that (e.g. LDAP)
2017-07-20 10:32:24.122 20553 WARNING keystone.common.wsgi Could not find domain: f950f5d49d8f4acba4790113580a956f.

The domain does indeed exist:

# openstack domain list
90a99943256b4a22a5c51352d428a7e5 | heat    | True                        
default                          | Default | True    | The default domain 
f950f5d49d8f4acba4790113580a956f | magnum  | True

So through some research, I found that I can configure the below settings in keystone.conf:

[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

And then migrate my entire "[ldap]" configuration as /etc/keystone/domains/keystone.Default.conf.

I then restart httpd and attempt to list domains:

# openstack domain list
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-9d64587c-8bda-401b-83df-a0c166ea629b)

If I look up that request ID in the log:

2017-07-20 14:36:46.828 2621 DEBUG keystone.middleware.auth [req-9d64587c-8bda-401b-83df-a0c166ea629b - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. fill_context /usr/lib/python2.7/site-packages/keystone/middleware/auth.py:188
2017-07-20 14:36:46.829 2621 INFO keystone.common.wsgi [req-9d64587c-8bda-401b-83df-a0c166ea629b - - - - -] POST http://10.11.184.50:5000/v3/auth/tokens
2017-07-20 14:36:46.848 2621 WARNING keystone.common.wsgi [req-9d64587c-8bda-401b-83df-a0c166ea629b - - - - -] An unexpected error prevented the server from fulfilling your request.

I can't seem to find any other interesting errors in keystone.log..

If I remove the "domain_specific_drivers_enabled" and "domain_config_dir" options from keystone.conf (with my "[ldap]" configurations removed as well), I can then successfully authenticate using MySQL for identity.

I'm at a total loss on what may be wrong. Would anyone be able to point me in the right direction? Also, would anyone be able to explain why Heat and Magnum require their own domains, and can't just use the "Default" domain like all the other services?

edit retag flag offensive close merge delete