Ask Your Question
0

Active directory integration issue

asked 2014-05-07 01:09:38 -0500

asekaran gravatar image

updated 2014-05-07 02:16:38 -0500

Antonio G. gravatar image

Hi,

I want to integrate the keystone with active directory, have followed below document to configure AD integration.

http://behindtheracks.com/2013/08/ope...

Have edited the schema as mentioned in document.

Below is my keystone configuration file, After configuration of keystone integration with AD I'm getting error logs which is pasted below and Keystone service is not starting.

**Keystone.conf**
[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity

[ldap]
query_scope = sub
url = ldap://10.37.6.217
user = cn=ldapuser,cn=Users,dc=example,dc=com
password = password@123
suffix = dc=brocadestack,dc=com
use_dumb_member = True
#dumb_member = cn=ldapuser,cn=Users,dc=example,dc=com

user_tree_dn = cn=Users,dc=example,dc=com
user_objectclass = organizationalPerson
user_id_attribute = sAMAccountName
user_name_attribute = cn
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True

tenant_tree_dn = ou=Projects,ou=OpenStack,dc=example,dc=com
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = ou=Roles,ou=OpenStack,dc=example,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True

root@controller:/var/log/keystone# service keystone status
keystone stop/waiting

**Keystone.log**
root@controller:/var/log/keystone# tail keystone.log
2014-05-07 11:27:48.177 13469 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-05-07 11:27:48.273 13469 CRITICAL keystone [-] No module named ldap
2014-05-07 11:27:48.508 13474 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-05-07 11:27:48.604 13474 CRITICAL keystone [-] No module named ldap
2014-05-07 11:27:48.830 13482 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-05-07 11:27:48.923 13482 CRITICAL keystone [-] No module named ldap
2014-05-07 11:27:49.157 13490 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-05-07 11:27:49.251 13490 CRITICAL keystone [-] No module named ldap
2014-05-07 11:27:49.481 13495 INFO keystone.common.environment [-] Environment configured as: eventlet
2014-05-07 11:27:49.576 13495 CRITICAL keystone [-] No module named ldap

# keystone user-list

root@controller:/var/log/keystone# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
<attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to http://controller:35357/v2.0/users)

Has any one face this issue please share me the how this is done.

Thanks, Arun.

edit retag flag offensive close merge delete

Comments

Need similar reports from your system:-
[root@dfw02 ~(keystone_admin)]$ systemctl list-units | grep keystone
openstack-keystone.service loaded active running OpenStack Identity Service (code-named Keystone)

[root@dfw02 ~(keystone_admin)]$ ps -aux | grep keystone
keystone 1298 0.0 0.6 396468 51904 ? Ss 08:08 0:02 /usr/bin/python /usr/bin/keystone-all --config-file /usr/share/keystone/keystone-dist.conf --config-file /etc/keystone/keystone.conf

[root@dfw02 ~(keystone_admin)]$ netstat -ntpl | grep 1298
tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN 1298/python
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1298/python

dbaxps gravatar imagedbaxps ( 2014-05-07 02:17:59 -0500 )edit

Below are the output of above commands.

root@controller:~# systemctl list-units | grep keystone Failed to get D-Bus connection: No connection to service manager.

root@controller:~# ps -aux | grep keystone Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html root 16700 0.0 0.0 9392 940 pts/14 S+ 18:49 0:00 grep --color=auto keystone

root@controller:~# netstat -ntpl | grep 1298 root@controller:~#

Thanks

asekaran gravatar imageasekaran ( 2014-05-07 08:22:24 -0500 )edit

OK. One more time It's not Fedora, Ubuntu I guess.Your commands are different from mine
Check on on your system
$ service openstack-keystone status
$ ps -ef | grep keystone
It will give you process id (if keystone service is RUNNING). You are supposed get real number - xxxxxx.
Then run with your value of xxxxxxx :-
$netstat -lntp | grep xxxxxxx

dbaxps gravatar imagedbaxps ( 2014-05-07 08:32:39 -0500 )edit

Yes you are right it is on UBUNTU

Keystone service is not coming up even though if we start.

root@controller:~# service keystone status keystone stop/waiting

root@controller:~# service keystone status keystone stop/waiting root@controller:~# ps -ef | grep keystone root 16728 14198 0 19:39 pts/14 00:00:00 grep --color=auto keystone root@controller:~# netstat -lntp | grep 16728 root@controller:~# netstat -lntp | grep 14198

I got above output for ps-ef, if i do netstat it is not giving any output because keystone service is stopped.

thanks for reply.

asekaran gravatar imageasekaran ( 2014-05-07 09:12:20 -0500 )edit

First thing to do is bring back to life keystone service. What says /var/log/keystone/keystone.log ?

dbaxps gravatar imagedbaxps ( 2014-05-07 09:41:11 -0500 )edit
see more comments

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-05-07 19:08:23 -0500

mpetason gravatar image

Try installing the package that installs python-ldap:

apt-get install libldap2-dev

Or if you can't find that do a search for python-ldap.

Try restarting keystone. See if you have the same error come up.

Change these as well. User-id is actually the persons name or CN and the user-name is actually the users sAMAccountName:

user_id_attribute = cn user_name_attribute = sAMAccountName

^^ Took me a couple of hours to figure that out. I'm assuming you want the user to login with whatever you are using for sAMAccountName, not their first+last name which would show up under CN.

edit flag offensive delete link more

Comments

Have done above, keystone service started successfully, but when i authenticate it is there is some errors on keystone.log

root@controller:~# tail /var/log/keystone/keystone.log 2014-05-08 13:19:52.268 19921 INFO keystone.common.environment [-] Environment configured as: eventlet 2014-05-08 13:19:52.637 19921 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357 2014-05-08 13:19:52.639 19921 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000 2014-05-08 13:19:53.036 19930 INFO keystone.common.environment [-] Environment configured as: eventlet 2014-05-08 13:19:53.404 19930 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357 2014-05-08 13:19:53.405 19930 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000 2014-05-08 13:21:07.269 19930 WARNING keystone.common.wsgi ...(more)

asekaran gravatar imageasekaran ( 2014-05-08 02:55:16 -0500 )edit

Entries like this:-

2014-05-06 07:13:28.939 1280 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2014-05-06 07:13:28.942 1280 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000
dbaxps gravatar imagedbaxps ( 2014-05-08 03:57:20 -0500 )edit

2014-05-06 10:26:54.638 1280 WARNING keystone.common.wsgi [-] You are not authorized to 

perform the requested action, admin_required.
2014-05-06 12:37:12.000 1280 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, admin_required.
2014-05-06 21:10:16.588 1280 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, admin_required.

I grabbed the same entries in keystone.log  on working Controller
dbaxps gravatar imagedbaxps ( 2014-05-08 04:01:11 -0500 )edit

When you change over to LDAP after setting up with SQL originally you need to go back to the admin token and admin endpoint. Then setup all of the services: nova, neutron, ... in AD, set them up with the passwords you used in their config files to work with Keystone.

mpetason gravatar imagempetason ( 2014-05-08 10:59:30 -0500 )edit

Setup an admin user in AD. Setup a password for them. Add the admin role to the admin user for the admin tenant, then you can change your openrc back to user/password/tenant. (This is assuming you are using assignment driver = sql. I'd recommend it for testing at least.)

mpetason gravatar imagempetason ( 2014-05-08 11:01:09 -0500 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-05-07 01:09:38 -0500

Seen: 1,565 times

Last updated: May 07 '14

Related questions

ceph horizon/ceilometer integration

Cannot create projects in HAVANA using AD as backend

vmware Vcenter integration with openstack ? [closed]

Keystone auhentication with database and LDAP [closed]

Keystone LDAP integration [closed]

Is seperate role authorization and user auth possible with multi domain backend?

activating "nova.network.ldapdns.LdapDNS"

AD/ldap in keystone non-default domain only for users

problem in integration of openstack newton with scaleIO by following (https://docs.openstack.org/newton/config-reference/block-storage/drivers/emc-scaleio-driver.html)

Using a default keystone domain at horizon login