keystone problem

asked 2018-12-14 04:34:18 -0500

iloveopenstack gravatar image

Hi

I am totally do not understand how to working integration between Identity Back-end an external LDAP.

  1. I have created fresh OS and install RDO from packstask use this article https://www.techsupportpk.com/2016/12/installing-openstack-on-multi-node-in-linux.html (link text)

  2. Use Centos 7

    Linux version 3.10.0-957.1.3.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36)

In my environment two test servers: controller2-tst - controller

vs-c06-ad-tst.test.local - Active directory win28k domain controller

  1. my keystone admin.sh config is below

    unset OS_SERVICE_TOKEN export OS_USERNAME=admin export OS_PASSWORD='7dabafe103fb4b35' export OS_AUTH_URL=http://172.31.191.100:5000/v3 export PS1='[\u@\h \W(keystone_admin)]\$ '

    export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_IDENTITY_API_VERSION=3

  2. Use doc article try to configure relations between Default domain and LDAP Domain - [link text] (https://docs.openstack.org/keystone/latest/admin/integrate-with-ldap.html#identity-ldap-server-setup (https://docs.openstack.org/keystone/l...))

in my keystone.conf i am added only

[identity]
driver = ldap
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

created /etc/keystone/domains/keystone.TEST.conf and add

[ldap]
url = ldap://vs-c06-ad-tst.test.local
user = CN=adminAD,CN=Users,DC=test,DC=local
password = Qwerty123
suffix = DC=test,DC=local
user_tree_dn = DC=test,DC=local
user_objectclass = inetOrgPerson

#group_tree_dn = OU=Groups,DC=test,DC=local
#group_objectclass = groupOfNames
  1. Created TEST domain and see local users for example

openstack user list

| 9f268f32a2124c9eaf9d16286c0c1098 | nova      |
| a5b7ccbb91df442fbefc17a717fb0727 | admin     |
| a7c2cdc895ef4d2bb1c72555d44b1c75 | placement |
| ab9647db53b34e97b384edb8e2350f3b | glance    |
| db47ff496e6a40a282ba437f6e9dad5b | neutron   |
+----------------------------------+-----------+
 openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+
  1. can logon via http into

http://172.31.191.100:5000/v3

status  "stable"
updated "2018-02-28T00:00:00Z"
media-types 
0   
base    "application/json"
type    "application/vnd.openstack.identity-v3+json"
id  "v3.10"
links   
0   
href    "http://172.31.191.100:5000/v3/"
rel "self"

BUT after restart httpd a see errors

2018-12-14 13:19:03.700 27829 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal.  Its value may be silently ignored in the future.
2018-12-14 13:19:03.783 27829 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0
2018-12-14 13:19:28.700 21770 INFO keystone.common.wsgi [req-632ad35e-081f-46bf-9a65-165f38649dcf - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens
2018-12-14 13:19:29.660 21770 ERROR keystone.common.wsgi [req-632ad35e-081f-46bf-9a65-165f38649dcf - - - - -] {'desc': "Can't contact LDAP server"}: BackendError: {'desc': "Can't contact LDAP server"}


 openstack user list --domain TEST
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-78cb6dbe-0db7-4e7b-a4e9-10adb9d4c960)

IT`s strange because my domain controller available and it open 389 port

ldapsearch -W -x -D CN=adminAD,CN=Users,DC=test,DC=local -b "DC=test,DC=local" -h vs-c06-ad-tst.test.local "(cn=adminAD)"

# extended LDIF
#
# LDAPv3
# base <DC=test,DC=local> with scope subtree
# filter: (cn=adminAD)
# requesting: ALL
#

# adminAD, Users, test.local
dn: CN=adminAD,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: adminAD
givenName: adminAD
distinguishedName: CN=adminAD,CN=Users,DC=test,DC ...
(more)
edit retag flag offensive close merge delete