Ask Your Question

LDAP integration problem - SELinux variable 'authlogin_nsswitch_use_login' not found

asked 2014-05-06 01:30:00 -0500

Gowri gravatar image

updated 2014-06-26 12:03:00 -0500

mpetason gravatar image

We are trying to integrate the openstack setup with the Microsoft Active Directory(LDAP server).

As per openstack documentation, in order to integrate with an LDAP server, an SELinux Boolean variable ‘authlogin_nsswitch_use_ldap’ needs to be set. We tried setting the variable using the following command. $ setsebool –P authlogin_nsswitch_use_ldap 1 It returned a message stating SElinux is disabled. We changed the status of SElinux to permissive mode and tried setting the boolean variable, but it returned a message stating ‘record not found in the database’.

We also tried retrieving all the boolean variables by using the following command $getsebool –a It listed out all the boolean variables, but there was no variable named ‘authlogin_nsswitch_use_ldap’ in the list. In order to add the variable we needed semanage. When executing the ‘semanage’ command it returned ‘command not found’. To install semanage we tried installing policycoreutils-python. It showed no package policycoreutils-python available.

We are using Mirantis Fuel v4.0. We have an openstack Havana deployment on CentOS 6.4 and nova-network network service. Can you please help us on why the SELinux boolean variable (authlogin_nsswitch_use_ldap) is not available. Is it because the CentOS image provided by the Fuel master node does not provide the SELinux settings? Is there any alternative ways to set this boolean variable?

Kindly help us to resolve this issue.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted

answered 2014-06-07 09:32:21 -0500

mpetason gravatar image

I believe I helped with this previously. SELinux is not on by default so the command recommended in the guide does not work. If you are not using SELinux then the SELinux parts of the documentation can be skipped. The guide you linked isn't going to be the best source of information about setting this up. It is missing a few key configuration options to work directly with AD.

Let me know if you are still working on this setup. I should be able to help out.

edit flag offensive delete link more



Thanks for the response.

We are trying to integrate Keystone to a Corporate read-only LDAP. What configuration has to be made at the keystone side to make this work ?

User and group information from LDAP has to be mapped to tenant and roles in Keystone(As per our understanding), We are not able to understand how to do this. Should this mapping be done manually or Is there any automated way of doing this ?

We made the following changes in Keystone.conf

  1. Set identity to LDAP

  2. Set Assignment to SQL

  3. LDAP user and user tree parameters have been set.

But still its not working. Can you help us with this? Is there any good document that we can follow for this ?

Gowri gravatar imageGowri ( 2014-06-09 05:13:19 -0500 )edit

You would assign groups to projects. In Havana/Fuel 4.0 you may need to enable the v3 keystone api and edit the Horizon settings in to use the v3 api. This will enable you to see Groups/Roles/Domains in the dashboard.

I should probably write a blog post about this.

mpetason gravatar imagempetason ( 2014-06-09 10:01:52 -0500 )edit

This has some useful information regarding nested groups and AD/LDAP search strings.

mpetason gravatar imagempetason ( 2014-06-09 10:02:59 -0500 )edit

Thanks mpetason, I wil try and get back with the results.

Thanks for the response and yes a blog post will be very helpful :)

Gowri gravatar imageGowri ( 2014-06-10 07:19:48 -0500 )edit

Hi mpetason,

I work with Gowri on this. We followed the thread you suggested. But for us the problem is like keystone user-list is not showing the ldap users. Instead it shows the local users. We are now trying to integrate with a sample active directory with the same structure as in openstack documentation. But that itself is not working out for us.

keystone user-list

is showing the local users for first time. Next time it shows "Could not find user, AdminUser(HTTP 401)". We are confused with this random behavior. We updated the keystone.conf files with the corresponding DN for user_tree_dn section, tenant_tree_dn section and role_tree_dn section and changed the identity driver to ldap.

We are using Havana on CentOs. Keystone API is of version 2.0.

Kindly help us on this.

Thanks, Tizy

tizy gravatar imagetizy ( 2014-06-11 00:15:19 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-05-06 01:30:00 -0500

Seen: 1,263 times

Last updated: Jun 07 '14