Ask Your Question
0

Active Directory auth with keystone v3. Why can I not get it to work?

asked 2018-01-16 03:20:41 -0500

tony.pearce gravatar image

I have a relatively vanilla tripleo openstack Pike install at the moment. I would like to test AD authentication. I have a working windows AD on windows 2012 server. Guides I've been following: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/integrate_with_identity_service/sec-active-directory (https://access.redhat.com/documentati...)

video: https://www.openstack.org/videos/austin-2016/integrate-active-directory-with-openstack-keystone (https://www.openstack.org/videos/aust...)

Few things I notice: 1. After making the changes and restarting the httpd service on the controller, I can no longer query the overcloud from the undercloud machine (when sourcing the rc file, chosing v2 or v3 for keystone..) error: (overcloud) [stack@osuc~]$ nova list ERROR (InternalServerError): An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-37d59f65-e7c8-4a0f-94d0-c9d6b0387196)

  1. I can browse to the keystone api on http://192.168.1.66:5000/v3 and I get the json back from it, so the service is running.

  2. I also cannot log into openstack any longer using the admin user ID.

  3. when restarting httpd there's a few errors which might be the reason for the issue: overcloud-controller-0 python[5391]: ERROR:scss.ast:Function not found: function-exists:1

My problem is finishing off the setup after restarting httpd service. I need to run some openstack commands to update the db but I just get error 500 when I try. Reverting the changes fixes the problem but of course, my goal is to try AD auth.

To summarise the steps I am doing the following: on controller: 1. on the controller run selinux command for ldap sudo setsebool -P authlogin_nsswitch_use_ldap=on 2. make directory and change permissions for keystone : mkdir /etc/keystone/domains 3. edit /etc/keystone/keystone.conf to include: [identity] domain_specific_drivers_enabled = true domain_config_dir = /etc/keystone/domains

[assignment]| driver = keystone.assignment.backends.sql.Assignment

Now under the "driver" part, my set up had "sql" there by default. I have tried using: "sql,keystone.assignment.backends.sql.Assignment" as well as leaving it as sql as I noticed the driver setting in the /etc/keystone/domains/keystone.DOMAIN.conf file

  1. edit /etc/openstack-dashboard/local_settings to uncomment: OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'

and also I verified that by default the following is also present: OPENSTACK_API_VERSIONS = { 'identity': 3,

}

I restart HTTPD service and I get those errors as noted and I can't seem to be able to proceed any further.

What am I doing wrong?

edit retag flag offensive close merge delete

Comments

Looks like the driver is not present on the controller node. I google searched and was unable to find any pointers to help me move forward from this point. keystone.log shows:Unable to find %(name)r driver in %(namespace)r.', {'namespace': 'keystone.identity', 'name': 'keystone.identity.backends.lda

tony.pearce gravatar imagetony.pearce ( 2018-01-16 05:52:07 -0500 )edit

Unable to find %(name)r driver in %(namespace)r.', {'namespace': 'keystone.identity', 'name': 'keystone.identity.backends.ldap.Identity

tony.pearce gravatar imagetony.pearce ( 2018-01-16 05:52:13 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2018-01-16 06:32:50 -0500

tony.pearce gravatar image

This is a bug that has been around since late 2016! Please see: https://bugs.launchpad.net/openstack-manuals/+bug/1628135 (https://bugs.launchpad.net/openstack-...)

The specified driver from documentations (many incorrect online for pike release!) is incorrect.

The bug states driver should be sql or ldap. The documentation states the driver should be keystone.identity.backends.ldap.Identity or even keystone.identity.backends.sql.Identity

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-01-16 03:20:41 -0500

Seen: 261 times

Last updated: Jan 16 '18