Ask Your Question
0

active directory 2008 and keystone integration

asked 2018-12-13 03:40:49 -0500

iloveopenstack gravatar image

updated 2018-12-13 03:53:41 -0500

Hi all I am installed Openstack RDO in my lab as packstack and testing integration with active directory server. My test stand description: controller2-tst - IP x.x.x.x
vs-c06-ad-tst.test.local - IP x.x.x.x, Active directory Win28k server

Used article to configure keystone - https://www.ibm.com/developerworks/cloud/library/cl-configure-keystone-ldap-and-active-directory/index.html (https://www.ibm.com/developerworks/cl...)

But integration isn`t working. In keystone log i am see errors:

  • An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7)

    2018-12-13 11:57:03.253 11750 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future. 2018-12-13 11:57:03.349 11750 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0 2018-12-13 11:57:20.550 11779 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future. 2018-12-13 11:57:20.881 11779 INFO keystone.common.wsgi [req-675018fd-1ddd-4b82-ac3f-c75fc36aa964 - - - - -] GET http://172.31.191.100:5000/v3/ 2018-12-13 11:57:22.961 11781 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future. 2018-12-13 11:57:23.309 11781 INFO keystone.common.wsgi [req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7 - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens (http://172.31.191.100:5000/v3/auth/to...) 2018-12-13 11:57:23.463 11781 WARNING stevedore.named [req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7 - - - - -] Could not load keystone.identity.backends.ldap.Identity 2018-12-13 11:57:23.464 11781 ERROR keystone.common.wsgi [req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7 - - - - -] (u'Unable to find %(name)r driver in %(namespace)r.', {'namespace': 'keystone.identity', 'name': 'keystone.identity.backends.ldap.Identity'}): ImportError: (u'Unable to find %(name)r driver in %(namespace)r.', {'namespace': 'keystone.identity', 'name': 'keystone.identity.backends.ldap.Identity'}) 2018-12-13 11:57:23.464 11781 ERROR keystone.common.wsgi Traceback (most recent call last):

My keystone configs is below keystone.conf [identity] domain_specific_drivers_enabled=true domain_config_dir=/etc/keystone/domains

/etc/keystone/domains/keystone.TEST.conf [ldap] url = ldap://vs-c06-ad-tst.test.local user = cn=adminAD,dc=test,dc=local password = Qwerty123 suffix = dc=test,dc=local group_tree_dn = ou=UserGroups,dc=test,dc=local user_tree_dn = ou=Users,dc=test,dc=local user_mail_attribute = mail

[identity] driver = keystone.identity.backends.ldap.Identity

etc/openstack-dashboard/local_settings OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'

I am still able to open http://controller2-tst:5000/v3 link but i am can`t logon into horizon dashboard as Active directory user. I had trying to change drivers between keystone.identity.backends.ldap.Identity and keystone.identity.backends.sql.Identity still no changes.

edit retag flag offensive close merge delete

Comments

Please use the 101010 button to turn your code into something readable.

The IBM instructions are for Juno, 4 years old or so. The driver config setting looks incorrect. Try setting it to ldap. See https://docs.openstack.org/keystone/l....

Bernd Bausch gravatar imageBernd Bausch ( 2018-12-13 03:48:09 -0500 )edit

1 answer

Sort by » oldest newest most voted
0

answered 2018-12-13 08:59:57 -0500

iloveopenstack gravatar image

Thanks for replay

I changed keystone conf - /etc/keystone/keystone.conf and remove /etc/keystone/domains/keystone.TEST.conf because we need only one Active directory domain integration.

keystone.conf --- settings

  [ldap]

url = ldap://vs-c06-ad-tst.test.local user = CN=adminAD,CN=Users,DC=test,DC=local password = Qwerty123 suffix = DC=test,DC=local

 user_tree_dn =
   ou=Users,DC=test,DC=local
   user_objectclass = inetOrgPerson

   group_tree_dn =
   ou=Groups,DC=test,DC=local
   group_objectclass = groupOfNames
   user_objectclass = person 
user_filter   = (memberof=CN=grp-openstack,OU=Users,DC=test,DC=local)
 group_filter =

 - [identity] 
driver = ldap

nova.conf

[keystone_authtoken]
auth_version = v3

When testing openstack user list --domain TEST

- Missing value auth-url required for auth plugin password

Into keystone log

2018-12-13 17:52:39.226 13346 INFO keystone.common.wsgi [req-673053b0-2dda-45eb-8f4e-8cfe4e8040b7 - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens
2018-12-13 17:52:39.406 13346 WARNING keystone.auth.plugins.core [req-673053b0-2dda-45eb-8f4e-8cfe4e8040b7 - - - - -] Could not find user: placement.: UserNotFound: Could not find user: placement.
2018-12-13 17:52:39.407 13346 WARNING keystone.common.wsgi [req-673053b0-2dda-45eb-8f4e-8cfe4e8040b7 - - - - -] Authorization failed. The request you have made requires authentication. from 172.31.191.100: $
2018-12-13 17:53:03.396 16408 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal.  Its value may be silently ignored in the future.
2018-12-13 17:53:03.450 16408 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0
edit flag offensive delete link more

Comments

This is confusing; I don’t understand what the placement user is doing here. What are your OS_... environment variables set to?

Since this is a different problem, I suggest moving it to a new question.

Bernd Bausch gravatar imageBernd Bausch ( 2018-12-13 16:45:15 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-12-13 03:40:49 -0500

Seen: 79 times

Last updated: Dec 13 '18