Ask Your Question
1

"An error occurred authenticating. Please try again later." on authentication with ldap configuration. [closed]

asked 2014-06-13 09:28:39 -0500

tarawa1943 gravatar image

updated 2014-07-02 14:57:47 -0500

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this ...
(more)
edit retag flag offensive reopen merge delete

Closed for the following reason too localized by tarawa1943
close date 2014-06-24 12:56:08.799309

Comments

o python-ldap installed before testing.

o restarted keystone server after config change.

tarawa1943 gravatar imagetarawa1943 ( 2014-06-13 09:29:53 -0500 )edit

Would appreciate hints on how to get logging working on keystone.

The keystone.conf was changed and service keystone restart done.

tarawa1943 gravatar imagetarawa1943 ( 2014-06-13 11:49:42 -0500 )edit

Following these procedures from http://openstack.org

http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html (http://docs.openstack.org/admin-guide...)

tarawa1943 gravatar imagetarawa1943 ( 2014-06-13 11:51:43 -0500 )edit

What errors are you getting?

mpetason gravatar imagempetason ( 2014-06-13 13:46:42 -0500 )edit

Add details in the question, not comments: makes the question more readable.

smaffulli gravatar imagesmaffulli ( 2014-06-13 15:41:36 -0500 )edit

3 answers

Sort by ยป oldest newest most voted
0

answered 2014-06-24 12:55:21 -0500

tarawa1943 gravatar image

updated 2014-07-02 17:10:28 -0500

smaffulli gravatar image

posting a solution:

this worked placing a project/userid in the local sql and accessing the LDAP server (Active Directory) for user level authentication. The OU is fixed, ie:hardcoded, that is the discovered caveat.

hybrid SQL and LDAP backends for OpenStack Keystone For havana release but upgraded to icehouse

https://github.com/matthewfischer/key...

edit flag offensive delete link more
0

answered 2014-06-14 09:12:28 -0500

Authentication will fail if the user does not have a role in any project, and you request a token scoped to a project.

edit flag offensive delete link more

Comments

On devstack, how do I define a role if I cannot get proper creds to get access to the database to list anything? I have the admin user (which is what I trying to logon to on the dashboard as admin. All i have is the admin password but changing a creds to that with the creds listed in the last attempt does not get me into the database. Should I be using devstack to test this LDAP extension with?

tarawa1943 gravatar imagetarawa1943 ( 2014-06-19 13:48:53 -0500 )edit
0

answered 2014-06-18 19:19:49 -0500

ArunKant gravatar image

Without knowing the error, its hard to identify the cause of error? For testing only, you can disable log and write output to console to see what is the error if you cannot get access to keystone logs (enable debug in keystone.conf) . Or direct output log file to location where you have access to?

If you are not getting successful authentication with LDAP but it works with SQL..check following -- Can you check if login credentials matches in LDAP -- Make sure you have user_id_attribute is mapped correctly between LDAP and sql role assignment tables (which stores user id attribute). -- Also make sure that user used for authentication has role assignment for project you are using. -- If you are using v2 authentication, then user needs to be in default domain 'default' .

Hope it helps

edit flag offensive delete link more

Comments

Thank you ArunKant, I will try that and report back.

tarawa1943 gravatar imagetarawa1943 ( 2014-06-19 12:30:32 -0500 )edit

The creds your referring to are for user_id LDAP? For parameter in ldap or role of ldap ? I am trying to auth against a AD global catalog and can get to the user in the AD catalog authentification? Do I need do something specific on the keystone conf to get this to work.

tarawa1943 gravatar imagetarawa1943 ( 2014-06-19 13:13:54 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-06-13 09:28:39 -0500

Seen: 4,147 times

Last updated: Jul 02 '14