Keystone LDAP integration [closed]

asked 2014-04-03 10:58:53 -0600

racingferret gravatar image

Hi Guys,

I have an OpenStack Havana installation and we have a requirement to integrate it with LDAP. I have been following the instructions on this page ( ( ), with some success and can now log in with an alternative "admin" user called "osadmin".

The problem is that within Horizon, I'm greeted with two errors upon login: Error: Unauthorised: Unable to retrieve usage information. Error: Unauthorised: Unable to retrieve limit information.

This continues for each of the pages that I click on. On the command line, when I source my creds for "osadmin" I can list users, roles and tenants, but if I try to retrieve a flavor list, I'm not authorised:

root@node-5:~# nova --debug flavor-list

REQ: curl -i -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "osadmin", "password": "osadmin"}}}'

INFO (connectionpool:202) Starting new HTTP connection (1):
DEBUG (connectionpool:296) "POST /v2.0/tokens HTTP/1.1" 200 2710
RESP: [200] CaseInsensitiveDict({'date': 'Wed, 02 Apr 2014 18:30:55 GMT', 'vary': 'X-Auth-Token', 'content-length': '2710', 'content-type': 'application/json'})
RESP BODY: {"access": {"token": {"issued_at": "2014-04-02T18:30:55.578617", "expires": "2014-04-03T18:30:55Z", "id": "92db3daf37454ca78ebf0d7c247778c5", "tenant": {"enabled": true, "description": "Admin Tenant", "name": "admin", "id": "c4d981b1d47c49d3a4bd8bc467073c40"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "0dfdbe209bda44c9aeb101865fe48dd9", "publicURL": ""}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "1747865618ff47b6a068820ed108769d", "publicURL": ""}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "847f45e1441d4a48ac441141892a00bf", "publicURL": ""}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "172c31895c3c4cc8ba617ccd611c545b", "publicURL": ""}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "0df6eee555134ae8b3c96a0a57880e1c", "publicURL": ""}], "endpoints_links": [], "type": "ec2", "name": "nova_ec2"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "1959faa1878243d7b8e60a68b8a3fd1f", "publicURL": ""}], "endpoints_links": [], "type": "orchestration", "name": "heat"}, {"endpoints": [{"adminURL": "", "region": "RegionOne", "internalURL": "", "id": "0694e4371eaa457eb11cbc5d5556e94b", "publicURL": ""}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "osadmin", "roles_links": [], "id": "osadmin", "roles": [{"name": "admin"}], "name": "osadmin"}, "metadata": {"is_admin": 0, "roles": ["b5cc07da9685470dbcb2bc27e9a80b13"]}}}

REQ: curl -i http://172.16.0 ...
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by racingferret
close date 2014-04-04 10:07:21.405564


Is Keystone mapping to ldap and allowing you to list users? If you do:

keystone user-list

Do you get back LDAP users? Is it a requirement to manage everything through LDAP or can you use SQL for assignment? If you can use SQL for assignment (roles, tenants) then it's a lot easier.

mpetason gravatar imagempetason ( 2014-04-03 11:18:18 -0600 )edit

Thanks for the info... I've kept roles and tenants in a DB as you suggested and only my users and service accounts are in LDAP. Works like a charm!

racingferret gravatar imageracingferret ( 2014-04-04 10:06:32 -0600 )edit

Yep it's a lot easier.

mpetason gravatar imagempetason ( 2014-04-04 13:40:41 -0600 )edit