Openstack Havana - Ldap / MySQL authentication "You are not authorized for any projects."
We have stood up Openstack Havanna instance and have had it configured to use only the MySQL database to do authentication. Due to the large nature of the organization we work in we want to switch this idenity management component of Openstack to LDAP but keep the project administration within the mysql db. We have followed the documentation on the Openstack guide to configure our ldap connection but we keep getting "You are not authorized for any projects." when we attempt to login to the Horizon page. Also we see multiple unauthorized for tenenat xxxxx in the log for the service accounts (nova, neutron, glance, cinder, etc). So it appears that our configurations allow us to read the ldap server but something is missing in the configuration to allow us to access the projects. Is there a post configuration step that needs to be taked to assign the ldap user to a project?
keystone.log snippet
`WARNING keystone.token.controllers [-] User neutron is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User nova is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User glance is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User admin is unauthorized for tenant cbf630efcfda4aee82dd56fa7d86b270`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User cinder is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
Keystone.conf file
[DEFAULT]
# A "shared secret" between keystone and other openstack services
# admin_token = ADMIN
admin_token = password
# The IP address of the network interface to listen on
# bind_host = 0.0.0.0
bind_host = 0.0.0.0
# The port number which the public service listens on
# public_port = 5000
public_port = 5000
# The port number which the public admin listens on
# admin_port = 35357
admin_port = 35357
# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
# public_endpoint = http://localhost:%(public_port)s/
# admin_endpoint = http://localhost:%(admin_port)s/
# The port number which the OpenStack Compute service listens on
# compute_port = 8774
compute_port = 8774
# Path to your policy definition containing identity actions
# policy_file = policy.json
# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required
# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants. After migration, the member_role_id will be used in ...