ldap authentication on Liberty only working partially

asked 2017-07-27 14:10:05 -0500

jamesopst gravatar image

updated 2017-07-28 13:32:53 -0500

please offer some advice for what/where to look next. (this is on Liberty)

I got ldap authentication working well on our Newton environment https://ask.openstack.org/en/question...

now when I reproduce the same exact settings on our Liberty environment I see it only partially work. once everything is configured I use "openstack user list --domain mydom" to see my ldap users and to indicate my configuration is pretty much correct.

when I run that command 2 times it returns nothing. The 3rd time it returns the users. So every 3 times I get the users.

the strange thing is when the command is successful admin.log will show "WARNING keystone.common.wsgi Could not find domain: mydom" !!! when the command isn't successful the logging doesn't show anything.

using the ldap tool ldapsearch I can get info from the ldap server every single time

The kicker is I think something is wrong with keystone logging, I can't figure out what but keystone.log is months old and the only files updating is admin.log and main.log

thanks!

UPDATE:

here are log snippets from running the command 3 different times. It looks to me like the same command line is calling 3 different commands under the hood!!? any ideas how come?

openstack user list --domain mydom (1st time: see Authorizing identity:list_domains())

2017-07-28 13:31:57.748 100836 DEBUG dogpile.core.dogpile [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] Released creation lock _enter_create /usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py:154
2017-07-28 13:31:57.751 100836 DEBUG keystone.middleware.core [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'19d9fea8ad7744779ba2c81e1ad36e76', 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=wrlWmmRlRmKk2xkN1p1KfA, audit_chain_id=wrlWmmRlRmKk2xkN1p1KfA) at 0x7f04b5c60d08>, 'project_id': u'fcff98f1c7a34a86be56c0a3d069c280', 'trust_id': None} process_request /usr/lib/python2.7/dist-packages/keystone/middleware/core.py:314
2017-07-28 13:31:57.754 100836 INFO keystone.common.wsgi [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] GET http://192.168.0.2:35357/v3/domains?name=mydom
2017-07-28 13:31:57.754 100836 DEBUG keystone.common.controller [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] RBAC: Authorizing identity:list_domains() _build_policy_check_credentials /usr/lib/python2.7/dist-packages/keystone/common/controller.py:62
2017-07-28 13:31:57.754 100836 DEBUG keystone.common.controller [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/dist-packages/keystone/common/controller.py:67
2017-07-28 13:31:57.754 100836 DEBUG keystone.common.controller [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] RBAC: Adding query filter params (name=mydom) wrapper /usr/lib/python2.7/dist-packages/keystone/common/controller.py:194
2017-07-28 13:31:57.754 100836 DEBUG keystone.policy.backends.rules [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] enforce identity:list_domains: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'19d9fea8ad7744779ba2c81e1ad36e76', 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=wrlWmmRlRmKk2xkN1p1KfA, audit_chain_id=wrlWmmRlRmKk2xkN1p1KfA) at 0x7f04b5c60d08>, 'project_id': u'fcff98f1c7a34a86be56c0a3d069c280', 'trust_id': None} enforce /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:76
2017-07-28 13:31:57.755 100836 DEBUG keystone.common.controller [req-c650ebca-a84a-4143-8547-aa91e05b67af - - - - -] RBAC: Authorization granted wrapper /usr/lib/python2.7/dist-packages/keystone/common/controller.py:204
2017-07-28 13:32 ...
(more)
edit retag flag offensive close merge delete