keystone problem
Hi
I am totally do not understand how to working integration between Identity Back-end an external LDAP.
I have created fresh OS and install RDO from packstask use this article https://www.techsupportpk.com/2016/12/installing-openstack-on-multi-node-in-linux.html (link text)
Use Centos 7
Linux version 3.10.0-957.1.3.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36)
In my environment two test servers: controller2-tst - controller
vs-c06-ad-tst.test.local - Active directory win28k domain controller
my keystone admin.sh config is below
unset OS_SERVICE_TOKEN export OS_USERNAME=admin export OS_PASSWORD='7dabafe103fb4b35' export OS_AUTH_URL=http://172.31.191.100:5000/v3 export PS1='[\u@\h \W(keystone_admin)]\$ '
export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_IDENTITY_API_VERSION=3
Use doc article try to configure relations between Default domain and LDAP Domain - [link text] (https://docs.openstack.org/keystone/latest/admin/integrate-with-ldap.html#identity-ldap-server-setup (https://docs.openstack.org/keystone/l...))
in my keystone.conf i am added only
[identity]
driver = ldap
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains
created /etc/keystone/domains/keystone.TEST.conf and add
[ldap]
url = ldap://vs-c06-ad-tst.test.local
user = CN=adminAD,CN=Users,DC=test,DC=local
password = Qwerty123
suffix = DC=test,DC=local
user_tree_dn = DC=test,DC=local
user_objectclass = inetOrgPerson
#group_tree_dn = OU=Groups,DC=test,DC=local
#group_objectclass = groupOfNames
- Created TEST domain and see local users for example
openstack user list
| 9f268f32a2124c9eaf9d16286c0c1098 | nova |
| a5b7ccbb91df442fbefc17a717fb0727 | admin |
| a7c2cdc895ef4d2bb1c72555d44b1c75 | placement |
| ab9647db53b34e97b384edb8e2350f3b | glance |
| db47ff496e6a40a282ba437f6e9dad5b | neutron |
+----------------------------------+-----------+
openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
- can logon via http into
http://172.31.191.100:5000/v3
status "stable"
updated "2018-02-28T00:00:00Z"
media-types
0
base "application/json"
type "application/vnd.openstack.identity-v3+json"
id "v3.10"
links
0
href "http://172.31.191.100:5000/v3/"
rel "self"
BUT after restart httpd a see errors
2018-12-14 13:19:03.700 27829 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future.
2018-12-14 13:19:03.783 27829 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0
2018-12-14 13:19:28.700 21770 INFO keystone.common.wsgi [req-632ad35e-081f-46bf-9a65-165f38649dcf - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens
2018-12-14 13:19:29.660 21770 ERROR keystone.common.wsgi [req-632ad35e-081f-46bf-9a65-165f38649dcf - - - - -] {'desc': "Can't contact LDAP server"}: BackendError: {'desc': "Can't contact LDAP server"}
openstack user list --domain TEST
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-78cb6dbe-0db7-4e7b-a4e9-10adb9d4c960)
IT`s strange because my domain controller available and it open 389 port
ldapsearch -W -x -D CN=adminAD,CN=Users,DC=test,DC=local -b "DC=test,DC=local" -h vs-c06-ad-tst.test.local "(cn=adminAD)"
# extended LDIF
#
# LDAPv3
# base <DC=test,DC=local> with scope subtree
# filter: (cn=adminAD)
# requesting: ALL
#
# adminAD, Users, test.local
dn: CN=adminAD,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: adminAD
givenName: adminAD
distinguishedName: CN=adminAD,CN=Users,DC=test,DC ...