Ask Your Question

'Invalid credentials' in ldap [closed]

asked 2014-03-16 21:54:59 -0500

nethawk gravatar image

I tried to use ldap to save user datas for keystone.But I got the error 'Invalid credentials' after I execute 'keystone user-list'. And I tried other commands,the rensult were the same. What should I do with it? Below are some information about this problem.

1)The LDAP data tree like this : dn: dc=openstack,dc=org objectClass:dcObject objectClass:organizationalUnit ou:openstack dc: openstack

dn: ou=Projects,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: projects

dn: ou=Users,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: users

dn: ou=Roles,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: roles

2) keystone.conf: [identity] driver = keystone.identity.backends.ldap.Identity [ldap] url = ldap:// password = 123456 suffix = cn=openstack,cn=org

user = dc=Manager,dc=openstack,dc=orguser_tree_dn = ou=Users,dc=openstack,dc=org user_objectclass = inetOrgPerson tenant_tree_dn = ou=Projects,dc=openstack,dc=org tenant_objectclass = groupOfNames role_tree_dn = ou=Roles,dc=openstack,dc=org role_objectclass = organizationalRole

3) keystone.log (keystone.common.ldap.core): 2014-03-17 10:42:10,375 DEBUG LDAP bind: dn=dc=Manager,dc=openstack,dc=org (keystone.common.wsgi): 2014-03-17 10:42:10,377 ERROR {'desc': 'Invalid credentials'} Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/keystone/common/", line 238, in __call__ result = method(context, params) File "/usr/lib/python2.6/site-packages/keystone/identity/", line 183, in get_users user_list = self.identity_api.list_users() File "/usr/lib/python2.6/site-packages/keystone/identity/", line 172, in wrapper return f(self, args, *kwargs) File "/usr/lib/python2.6/site-packages/keystone/identity/", line 301, in list_users user_list = driver.list_users() File "/usr/lib/python2.6/site-packages/keystone/identity/backends/", line 82, in list_users return self.user.get_all_filtered() File "/usr/lib/python2.6/site-packages/keystone/identity/backends/", line 252, in get_all_filtered return [identity.filter_user(user) for user in self.get_all()] File "/usr/lib/python2.6/site-packages/keystone/common/ldap/", line 709, in get_all return super(EnabledEmuMixIn, self).get_all(filter) File "/usr/lib/python2.6/site-packages/keystone/common/ldap/", line 378, in get_all for x in self._ldap_get_all(filter)] File "/usr/lib/python2.6/site-packages/keystone/common/ldap/", line 349, in _ldap_get_all conn = self.get_connection() File "/usr/lib/python2.6/site-packages/keystone/common/ldap/", line 233, in get_connection conn.simple_bind_s(user, password) File "/usr/lib/python2.6/site-packages/keystone/common/ldap/", line 512, in simple_bind_s return self.conn.simple_bind_s(user, password) File "/usr/lib64/python2.6/site-packages/ldap/", line 207, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib64/python2.6/site-packages/ldap/", line 436, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib64/python2.6/site-packages/ldap/", line 440, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib64/python2.6/site-packages/ldap/", line 446, in result3 ldap_result = self._ldap_call(self._l.result3 ... (more)

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by nethawk
close date 2014-03-18 20:14:24.436917


need more info for resloving this issue. Could you pls paste the details debug info when you called the keystone --debug user-list as well as turn on the verbose and debug in keystone.conf? from the current info, the login username and password in ldap might not correct provided to keystone auth module.

9lives gravatar image9lives ( 2014-03-17 03:59:51 -0500 )edit

Thanks for your help. The info that you want is below. WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). REQ: curl -i -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: ADMIN" RESP: [500] {'date': 'Tue, 18 Mar 2014 01:07:19 GMT', 'content-type': 'application/json', 'content-length': '175', 'vary': 'X-Auth-Token'} RESP BODY: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. {'desc': 'Invalid credentials'}", "code": 500, "title": "Internal Server Error"}} Request returned failure status: 500 An unexpected error prevented the server from fulfilling your request. {'desc': 'Invalid credentials'} (HTTP 500)

nethawk gravatar imagenethawk ( 2014-03-17 20:09:14 -0500 )edit

And I wrote little code to test connecting ldap,but the simple_bind() return 1. When using JXplorer LDAP browser,I can connect to my ldap server. My test code like this: import ldap import sys ldapuser = "cn=Manager,dc=openstack,dc=com" ldapurl = "ldap://" ldappass = "123456" l = ldap.initialize(ldapurl) l.protocol_version = ldap.VERSION3 result = l.simple_bind(ldapuser,ldappass) print result

nethawk gravatar imagenethawk ( 2014-03-17 20:54:45 -0500 )edit

editing your question to add more details will make it more readable and clear for others to help you out. comments are bad for that.

smaffulli gravatar imagesmaffulli ( 2014-03-18 11:33:46 -0500 )edit

1 answer

Sort by » oldest newest most voted

answered 2014-03-17 21:33:20 -0500

9lives gravatar image

From what the keystone --debug user-list output, you are using the admin_token which will by pass the password auth the problem might be in the ldap login, could you verify in your keystone log if anything like below

 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://localhost from (pid=3565) __init__ /opt/openstack/keystone/keystone/common/ldap/
2014-03-18 02:14:39.840 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
 from (pid=3565) __init__ /opt/openstack/keystone/keystone/common/ldap/
2014-03-18 02:14:39.841 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=cn=Manager,dc=openstack,dc=org from (pid=3565) simple_bind_s /opt/openstack/keystone/keystone/common/ldap/

if not please double check your credential used to login your ldap server. by the way, i guestimate you are using the devstack to setup the whole thing, i did that many days ago and found that the the devstack use the dc=Manager, dc=openstack,dc=org not cn=Manager, dc=openstack,dc=org

Hope that helps!


edit flag offensive delete link more


Thanks. I used centos.And the keysotne.log has something like below which is not the same with yours. (keystone.common.ldap.core): 2014-03-17 10:20:41,568 DEBUG LDAP init: url=ldap://localhost (keystone.common.ldap.core): 2014-03-17 10:20:41,568 DEBUG LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 (keystone.common.ldap.core): 2014-03-17 10:20:41,570 DEBUG LDAP bind: dn=dc=Manager,dc=openstack,dc=org (keystone.common.wsgi): 2014-03-17 10:20:41,576 ERROR {'desc': 'Invalid credentials'}

nethawk gravatar imagenethawk ( 2014-03-18 20:09:34 -0500 )edit

Oh,I have found the problem."dc=Manager,dc=openstack,dc=org is wrong,it must be 'cn=Manager,dc=openstack,dc=org',after I changed it, keystone user-list can return correct result. Thanks again.

nethawk gravatar imagenethawk ( 2014-03-18 20:12:51 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-03-16 21:54:59 -0500

Seen: 2,107 times

Last updated: Mar 17 '14