Ask Your Question
0

Can't contact LDAP server with keystone ldaps configuration

asked 2014-03-11 22:21:49 -0600

9lives gravatar image

updated 2014-03-11 22:31:11 -0600

Hi all,

I am using keystone installed by devstack havana branch to do ldap integration. we can integrate the keystone + ldap server without any encryption method applied.

Now we need step further to let keystone to connect to the ldap server with ldaps protocol with the following config in keystone.conf ...

url = ldaps://OUR_LDAP_SERVER_IP:636
user = cn=Manager,dc=example,dc=com
password = ******
...
#TLS setting
use_tls = False
tls_cacertfile = "/home/my.cert"
# tls_cacertdir =
#tls_req_cert = demand 
...

However the keystone cannot connect to the server we specified. with the error message SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}

Your help is very appreciated.

Vic

Completed stack trace is :

#################################################################################
     Traceback (most recent call last):
  File "/opt/openstack/keystone/keystone/common/wsgi.py", line 214, in __call__
    result = method(context, **params)
  File "/opt/openstack/keystone/keystone/openstack/common/versionutils.py", line 102, in wrapped
    return func(*args, **kwargs)
  File "/opt/openstack/keystone/keystone/identity/controllers.py", line 112, in get_users
    user_list = self.identity_api.list_users()
  File "/opt/openstack/keystone/keystone/identity/core.py", line 191, in wrapper
    return f(self, *args, **kwargs)
  File "/opt/openstack/keystone/keystone/identity/core.py", line 373, in list_users
    ref_list = driver.list_users(hints or driver_hints.Hints())
  File "/opt/openstack/keystone/keystone/identity/backends/ldap.py", line 81, in list_users
    return self.user.get_all_filtered()
  File "/opt/openstack/keystone/keystone/identity/backends/ldap.py", line 238, in get_all_filtered
    return [identity.filter_user(user) for user in self.get_all()]
  File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 770, in get_all
    return super(EnabledEmuMixIn, self).get_all(ldap_filter)
  File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 406, in get_all
    for x in self._ldap_get_all(ldap_filter)]
  File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 374, in _ldap_get_all
    conn = self.get_connection()
  File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 250, in get_connection
    conn.simple_bind_s(user, password)
  File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 557, in simple_bind_s
    return self.conn.simple_bind_s(user, password)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 206, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 200, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
**SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}**
(access): 2014-03-11 23:40:54,167 INFO core __call__ 192.168.56.110 - - [11/Mar/2014:23:40:54 +0000] "GET http://192.168.56.110:35357/v2.0/users HTTP/1.0" 500 215
(eventlet.wsgi.server): 2014-03-11 23:40:54,176 INFO log write 192.168.56.110 - - [11/Mar/2014 23:40:54] "GET /v2.0/users HTTP/1.1" 500 363 426.275357
#################################################################################
edit retag flag offensive close merge delete

Comments

Why do you have ldaps and use_tls=Flase., If it is ldaps then most probably use_tls=True true

Haneef Ali gravatar imageHaneef Ali ( 2014-03-11 23:41:44 -0600 )edit

thanks for the quick reply Haneef. I am not enable the use_tls cos' if i enable both ldaps and use_tls the keystone will complain error for this line in keystone/common/ldap/core.py:509 ... if use_tls and using_ldaps: raise AssertionError(_('Invalid TLS / LDAPS combination')) ... is this a bug or something? Thanks! Vic

9lives gravatar image9lives ( 2014-03-12 03:17:16 -0600 )edit

Thanks Haneef, for verify your suggestion, i just modify the core.py and enable the tls in keystone.conf ... if using_ldaps: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) ... got "TLS: peer cert untrusted or revoked (0x42)" error is that mean the issue is in openldap side?

9lives gravatar image9lives ( 2014-03-12 21:45:00 -0600 )edit
add a comment

4 answers

Sort by ยป oldest newest most voted
1

answered 2014-03-12 10:41:49 -0600

Haneef Ali gravatar image

updated 2014-03-12 12:01:58 -0600

You are correct. ldaps and use_TLS cannot be combined. I looked at the code and if we use ldaps they don't use tls_cert_file which I think is wrong. I don't have ldap setup with ldaps. If possible can you try by editing the code File keystone/common/ldap/code/core.py , add the line ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) As of now it is set only for tls and not for ldaps

edit flag offensive delete link more
add a comment
0

answered 2015-12-30 03:25:52 -0600

Satyanarayana Patibandla gravatar image

I had the same issue. I was using url = ldaps://OUR_LDAP_SERVER_IP:636, The issue got resolved when i used url = ldap://OUR_LDAP_SERVER_IP .

edit flag offensive delete link more
add a comment
0

answered 2014-03-12 21:51:01 -0600

9lives gravatar image

updated 2014-03-12 21:52:12 -0600

Per Haneef's suggestion, I just write a small python code to verify this as well.

#!/usr/bin/env python
import ldap

cert='/home/my.cer'
url='ldaps://myldap:636'
username='cn=Manager,dc=example,dc=com'
pwd='****'
ldap.set_option(ldap.OPT_DEBUG_LEVEL,1)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr

l = ldap.initialize(url,trace_level=ldapmodule_trace_level,trace_file=ldapmodule
_trace_file)
l.protocol_version=ldap.VERSION3
l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_X_TLS_DEMAND)
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
l.set_option(ldap.OPT_X_TLS_CACERTFILE,cert)
l.simple_bind_s(username,pwd)
print('success!')
print('*'*30)
print('success!')

how ever still cannot connected the ldap sever with the following error:

ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myldap:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 15.48.10.1:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
**TLS: peer cert untrusted or revoked (0x42)**
TLS: can't connect: (unknown error code).
ldap_err2string
Traceback (most recent call last):
  File "../test-ldaps.py", line 19, in <module>
    l.simple_bind_s(username,pwd)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 206, in simps
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 200, in simpd
    return self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(ser)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldapl
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP }
edit flag offensive delete link more

Comments

This is easy to fix. How did you get your cert?  (ie)  cert='/home/my.cer'. I don't know how your ldap's ssl cert is setup?. Download the ldap server cert and use it for cert=<downloaded cert="">  If it still doesn't work do the following. Go to http://www.sslshopper.com/certificate-decoder.html and decode your cert and copy paste the output. No need to paste key.  Or you can decode by using the command   openssl x509 -in my.cer -text -noout

Haneef Ali gravatar imageHaneef Ali ( 2014-03-12 22:03:43 -0600 )edit

Thanks again Haneef, i found there is already a bug report for this https://bugs.launchpad.net/keystone/+bug/1209343 and yes it is easy to fix this glitch, seemed ppl are worried about how to write unit test to verify the fix.;) The cert is a self signed by openssl by someone else. I will try to decode it as you suggested. Thanks! Vic

9lives gravatar image9lives ( 2014-03-12 22:25:25 -0600 )edit

Hi Haneef, I can decode my cert, but still cannot access the ldap the issue is still "TLS: peer cert untrusted or revoked (0x42)" i don't know why, i decide close this thread, thanks for your kind help! Vic

9lives gravatar image9lives ( 2014-03-13 21:29:53 -0600 )edit
add a comment
0

answered 2014-04-13 13:57:30 -0600

FSAYED gravatar image

Why do you have port number and ldaps in the LDAP URL?? When you make use_tls true. It is applied that you are using LDAPS.

url = ldap://OUR_LDAP_SERVER_IP
user = cn=Manager,dc=example,dc=com
password = ******
...

#TLS setting
use_tls = True
tls_cacertfile = "/path/to/my/ldap/cacert"
tls_req_cert = allow

Also note that tls_cacetfile is the CACERT file of your LDAP server, i.e. the very thing that makes your LDAP into LDAPS. So, usual location of the file is on your ldap master under /etc/openldap/cacert/, (assuming you are using openldap), look in your slapd.conf file. It will tell you where the CACERT is.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-11 22:21:49 -0600

Seen: 5,466 times

Last updated: Dec 30 '15

Related questions

How to change keystone policy?

os-auth-url or env[OS_AUTH_URL]

deleted admin role by accident

Keystone and Nova Users

instance launch failure on hyperv

How to cleanly remove a user

what is the difference in authorization between AWS IAM and OpenStack keystone?

Adding ssl to keystone API

problem when running command

ERROR : Error appeared during Puppet run: 192.168.40.50_keystone.pp Error: Could not prefetch keystone_role provider 'openstack': Execution of '/usr/bin/openstack role list --quiet --format csv' returned 1: Bad Gateway (HTTP 502)