can you have local groups and user/pass in ldap

asked 2017-07-21 13:34:28 -0500

jamesopst gravatar image

updated 2017-07-21 13:39:22 -0500

i got thru most of my ldap authentication issues via some good websites and trial and error.

https://ask.openstack.org/en/question...

but, I did have one further issue where I couldn't even login to Horizon as an ldap user. The error I got was "Unable to retrieve authorized projects."

But when looking into keystone logs I think the issue has to do with Groups not Projects.

2017-07-21 13:10:42.680 14218 DEBUG keystone.common.controller [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] RBAC: Authorizing identity:list_user_projects(user_id=60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302) _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:80
2017-07-21 13:10:42.681 14218 DEBUG keystone.policy.backends.rules [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] enforce identity:list_user_projects: {'is_delegated_auth': False, 'user_id': u'60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302', 'user_domain_id': u'7af9a28441ab4bb2a265e6b117df12ad', 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=geYmVtoPQ5WjRmN5ugdbnw, audit_chain_id=geYmVtoPQ5WjRmN5ugdbnw) at 0x7fb14fc20530>, 'access_token_id': None, 'trust_id': None} enforce /usr/lib/python2.7/site-packages/keystone/policy/backends/rules.py:76
2017-07-21 13:10:42.681 14218 DEBUG keystone.common.controller [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] RBAC: Authorization granted wrapper /usr/lib/python2.7/site-packages/keystone/common/controller.py:232
2017-07-21 13:10:42.692 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP init: url=ldap://10.10.10.2,ldap://10.10.10.1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:574
2017-07-21 13:10:42.693 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:578
2017-07-21 13:10:42.693 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP bind: who=ldapuser@mydom.com simple_bind_s /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:899
2017-07-21 13:10:42.695 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP init: url=ldap://10.10.10.2,ldap://10.10.10.1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:574
2017-07-21 13:10:42.696 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:578
2017-07-21 13:10:42.696 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP bind: who=ldapuser@mydom.com simple_bind_s /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:899
2017-07-21 13:10:42.696 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP search: base=ou=Corp,dc=mydom,dc=com scope=2 filterstr=(&(cn=Joe Doe)(memberOf=CN=Openstack Users,OU=Groups,DC=mydom,DC=com)(objectClass=person)) attrs=['', 'cn', 'enabled', 'sAMAccountName', 'mail', 'description'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:934
2017-07-21 13:10:42.697 14218 DEBUG keystone.identity.backends.ldap.common [req-bc958194-5f82-4e8f-86ab-409954b90385 60d734e3f5e6e951883bc12a566dccb25ea0619a6d71736b3d94e8c4b4096302 - - 7af9a28441ab4bb2a265e6b117df12ad -] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/identity/backends ...
(more)
edit retag flag offensive close merge delete