Can't contact LDAP server with keystone ldaps configuration
Hi all,
I am using keystone installed by devstack havana branch to do ldap integration. we can integrate the keystone + ldap server without any encryption method applied.
Now we need step further to let keystone to connect to the ldap server with ldaps protocol with the following config in keystone.conf ...
url = ldaps://OUR_LDAP_SERVER_IP:636
user = cn=Manager,dc=example,dc=com
password = ******
...
#TLS setting
use_tls = False
tls_cacertfile = "/home/my.cert"
# tls_cacertdir =
#tls_req_cert = demand
...
However the keystone cannot connect to the server we specified. with the error message SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}
Your help is very appreciated.
Vic
Completed stack trace is :
#################################################################################
Traceback (most recent call last):
File "/opt/openstack/keystone/keystone/common/wsgi.py", line 214, in __call__
result = method(context, **params)
File "/opt/openstack/keystone/keystone/openstack/common/versionutils.py", line 102, in wrapped
return func(*args, **kwargs)
File "/opt/openstack/keystone/keystone/identity/controllers.py", line 112, in get_users
user_list = self.identity_api.list_users()
File "/opt/openstack/keystone/keystone/identity/core.py", line 191, in wrapper
return f(self, *args, **kwargs)
File "/opt/openstack/keystone/keystone/identity/core.py", line 373, in list_users
ref_list = driver.list_users(hints or driver_hints.Hints())
File "/opt/openstack/keystone/keystone/identity/backends/ldap.py", line 81, in list_users
return self.user.get_all_filtered()
File "/opt/openstack/keystone/keystone/identity/backends/ldap.py", line 238, in get_all_filtered
return [identity.filter_user(user) for user in self.get_all()]
File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 770, in get_all
return super(EnabledEmuMixIn, self).get_all(ldap_filter)
File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 406, in get_all
for x in self._ldap_get_all(ldap_filter)]
File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 374, in _ldap_get_all
conn = self.get_connection()
File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 250, in get_connection
conn.simple_bind_s(user, password)
File "/opt/openstack/keystone/keystone/common/ldap/core.py", line 557, in simple_bind_s
return self.conn.simple_bind_s(user, password)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 206, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 200, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
result = func(*args,**kwargs)
**SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}**
(access): 2014-03-11 23:40:54,167 INFO core __call__ 192.168.56.110 - - [11/Mar/2014:23:40:54 +0000] "GET http://192.168.56.110:35357/v2.0/users HTTP/1.0" 500 215
(eventlet.wsgi.server): 2014-03-11 23:40:54,176 INFO log write 192.168.56.110 - - [11/Mar/2014 23:40:54] "GET /v2.0/users HTTP/1.1" 500 363 426.275357
#################################################################################
Why do you have ldaps and use_tls=Flase., If it is ldaps then most probably use_tls=True true
thanks for the quick reply Haneef. I am not enable the use_tls cos' if i enable both ldaps and use_tls the keystone will complain error for this line in keystone/common/ldap/core.py:509 ... if use_tls and using_ldaps: raise AssertionError(_('Invalid TLS / LDAPS combination')) ... is this a bug or something? Thanks! Vic
Thanks Haneef, for verify your suggestion, i just modify the core.py and enable the tls in keystone.conf ... if using_ldaps: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) ... got "TLS: peer cert untrusted or revoked (0x42)" error is that mean the issue is in openldap side?