Ask Your Question
0

How to configure Keystone with open LDAP + horizon on grizzly

asked 2013-05-19 05:06:46 -0600

Yasith Tharindu gravatar image

updated 2013-06-11 10:19:56 -0600

fifieldt gravatar image

I have enabled ldap with keystone and horizon. But always return following error, Any one successed with above setup.

2013-05-19 15:21:23    ERROR [root] 'domain_id'
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 82, in authenticate
    core.validate_auth_info(self, context, user_ref, tenant_ref)
  File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 84, in validate_auth_info
    user_ref['domain_id'])
KeyError: 'domain_id'

2013-05-19 15:21:23    DEBUG [keystone.common.wsgi] {"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'domain_id'", "code": 500, "title": "Internal Server Error"}}

I dont understand the purpose of group_tree_dn attribute on the keystone.conf? is it a must to enable ?

My keystone config as following 

==============================================================================
url = ldap://192.168.1.111
user = cn=admin,dc=example,dc=com
password = secret
suffix = cn=example,cn=com
use_dumb_member = False
tree_dn = dc=example,dc=com

user_tree_dn = ou=Users,dc=example,dc=com
user_objectclass = inetOrgPerson
user_id_attribute = cn
user_name_attribute = sn
user_pass_attribute = userPassword
user_allow_create = True
user_allow_update = True
user_enabled_attribute = enabled
user_enabled_default = True
user_domain_id_attribute = None

tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_domain_id_attribute = None
tenant_allow_create = True
tenant_allow_update = True


role_tree_dn = ou=Roles,dc=example,dc=com
role_objectclass = groupOfNames
role_member_attribute = member
role_id_attribute = cn
role_name_attribute = ou
role_allow_create = True
role_allow_update = True


==============================================

What I am wrong with

my ldap config as follows.

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example Inc
dc: example


dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: c2VjcmV0



dn: ou=Users,dc=example,dc=com
ou: users
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit


dn: ou=Roles,dc=example,dc=com
ou: roles
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit


dn: ou=Tenants,dc=example,dc=com
ou: tenants
objectClass: organizationalUnit



dn: cn=demo,ou=Users,dc=example,dc=com
cn: demo
displayName: demo
givenName: demo
mail: demo@example.com
objectClass: inetOrgPerson
objectClass: top
sn: demo
uid: demo
userPassword:: c2VjcmV0


dn: cn=admin,ou=Roles,dc=example,dc=com
objectClass: groupOfNames
cn: admin
description: Openstack admin Role
member: cn=demo,ou=Users,dc=example,dc=com


dn: cn=admin,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
cn: admin
description: Openstack admin Tenant
member: cn=demo,ou=Users,dc=example,dc=com
edit retag flag offensive close merge delete
add a comment

4 answers

Sort by ยป oldest newest most voted
3

answered 2013-05-20 08:05:08 -0600

ayoung gravatar image

updated 2013-05-30 09:18:11 -0600

The short answer is it is broken and being fixed:

https://review.openstack.org/#/c/28197/

You can work around it by creating a domain subtree.

The Fix to the above has been merged into master.

In the past, users were directly "members" of projects. Now, users have roles in projects. This is done (usually) using organzationalRoles as a collection under the project. For Microsoft AD, You need to change the object type, as it will not allow you to nest objects under groupOfNames: make the project an OrganizationalUnit instead.

If you have additional questions, please open them separately.

edit flag offensive delete link more
add a comment
0

answered 2014-12-11 04:57:22 -0600

Gopalakrishnan S gravatar image

I have also have same error You are not authorized for any projects. Any one have suggestion?

edit flag offensive delete link more
add a comment
0

answered 2013-07-08 16:35:23 -0600

TM7000 gravatar image

Were you able to resolve You are not authorized for any projects? If so, please update with the fix.

edit flag offensive delete link more
add a comment
0

answered 2013-05-29 20:30:54 -0600

Yasith Tharindu gravatar image

Now my authentication phase is right i guess. But Im getting a error when try to login saying "You are not authorized for any projects."

My ldap configurations have been used by the keystone it seems. keystone command gives following results.

root@ubuntu:/home/wso2/ldap# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+------+------+---------+------------------+
|  id  | name | enabled |      email       |
+------+------+---------+------------------+
| demo | demo |   True  | demo@example.com |
+------+------+---------+------------------+
root@ubuntu:/home/wso2/ldap# keystone role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------+-------+
|   id  |  name |
+-------+-------+
| admin | Admin |
+-------+-------+
root@ubuntu:/home/wso2/ldap# keystone tenant-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------+-------+---------+
|   id  |  name | enabled |
+-------+-------+---------+
| admin | admin |   True  |
+-------+-------+---------+

But with nova commands return a error with the ldap user credentials.

# nova image-list
ERROR: Invalid OpenStack Nova credentials.

System variables I used as follows.

export OS_USERNAME=demo
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://192.168.1.111:5000/v2.0/
export OS_REGION_NAME=RegionOne
export SERVICE_ENDPOINT="http://192.168.1.111:35357/v2.0"
export SERVICE_TOKEN=012345SECRET99TOKEN012345
export OS_NO_CACHE=1

Following is the keystone log..

2013-05-29 02:45:20    DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=Tenants,dc=example,dc=com, scope=2, query=(&(objectClass=organizationalRole)(roleOccupant=cn=demo,ou=Users,dc=example,dc=com)), attrs=None
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ******************** RESPONSE HEADERS ********************
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Type = application/json
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Length = 36
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] 
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ******************** RESPONSE BODY ********************
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []}
2013-05-29 02:45:20     INFO [access] 127.0.0.1 - - [28/May/2013:21:15:20 +0000] "GET http://127.0.0.1:5000/v2.0/tenants HTTP/1.0" 200 36
2013-05-29 02:45:20    DEBUG [eventlet.wsgi.server] 127.0.0.1 - - [29/May/2013 02:45:20] "GET /v2.0/tenants HTTP/1.1" 200 164 0.028584

And tenant config of keystone as follows;

tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_member_attribute = member
tenant_name_attribute = cn
tenant_domain_id_attribute = businessCategory
tenant_enabled_attribute = o
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
tenant_desc_attribute = description

Do you have any suggestions?? It seems no tanents according to the log "DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []} " But i have enabled the user in the Tenant ldap group.

dn: cn=admin,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
cn: admin
o: True
businessCategory: default
description: Openstack admin Tenant
member: cn=demo,ou=Users,dc=example,dc=com
edit flag offensive delete link more

Comments

1

Check this link:
https://ask.openstack.org/en/question/5352/openldap-integration-with-keystone-for-authentication/
This LDAP structure worked for us with Grizzly release:
http://pastebin.com/2B10nRd3

vijesh shetty gravatar imagevijesh shetty ( 2013-12-11 07:08:06 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-05-19 05:06:46 -0600

Seen: 3,717 times

Last updated: Dec 11 '14

Related questions

when changed the backend to ldap in devstack(liberty),An error occurred authenticating

keystone problems : An unexpected error prevented the server from fulfilling your request. (HTTP 500)

How to make baremetal image?

Ceilometer central agent failing

How to use multiple ldap url in keystone.conf for HA

How to change default database in keystone?

keystone via httpd and remote_user

Why is quota charged for shutdown instances?

packstack installation fails with mysql access denied error

You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)