Ask Your Question

How to create users with keystone and Active Directory backend?

asked 2014-06-19 09:27:07 -0600

wyllys gravatar image

None of the examples and configuration guides for setting up Keystone with Active Directory work for the "Create User" operation. The failures, at least in my case (Win 2008 R2 AD Server), seem to stem from an incorrect combination of user_objectclass and the additional fields that keystone attempts to set when creating an LDAP user.


user_tree_dn = cn=Users,dc=example,dc=com
user_objectclass = User
user_filter = (&(objectClass=person)(!(objectClass=computer)))
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_enabled_emulation = false
user_attribute_ignore = default_project_id,password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True

Problem #1: user_objectclass - the user_objectclass MUST be "User" and NOT "organizationalPerson" or "person", otherwise AD will reject the creation request if it includes the "sAMAccountName" field. - AD Error : UNWILLING_TO_PERFORM

Problem #2: user_enabled_attribute - AD will not let you set the "userAccountControl" field in an LDAP create User request, Error: UNWILLING_TO_PERFORM

Has anyone found a combination of keystone.conf settings and possibly AD schema changes that will enable the "create-user" operation to succeed?

edit retag flag offensive close merge delete


You could post your keystone logs to see what errors are coming back from LDAP. Turn on Debug in Keystone. This may spit out a few more errors.

mpetason gravatar imagempetason ( 2014-06-19 10:41:05 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-06-19 14:08:49 -0600

wyllys gravatar image

After more digging, I got a little further and discovered some potential bugs:

NOTE: Any operation involving the password must be done over TLS (i.e. LDAPS), otherwise AD will reject the request. This should be noted in the documentation.

  1. the "UNWILLING_TO_PERFORM" response from AD is because keystone attempts to first create a user with the userAccountStatus value of 512, but is not providing a password. AD will not allow accounts with no password to have that status value (NORMAL_ACCOUNT).

  2. The correct password field to use when setting or changing a user password in AD is "unicodePwd", and it must be encoded correctly:

    unipwd = base64.b64encode(unicode("\"AnExamplePassword1!\"").encode('utf-16-le'))

Ex: unicodePwd:: IgBBAG4ARQB4AGEAbQBwAGwAZQBQAGEAcwBzAHcAbwByAGQAMQAhACIA (NOTE: the double colon "unicodePwd::" is correct,not a typo).

It appears that keystone uses "userPassword", which AD seems to ignore in favor of "unicodePwd". Also, the 'unicodePwd' attibute is read-only and will never be given back in a query response.

  • keystone should either put the proper unicodePwd value in the initial create request along with the userAccountStatus of 512 - or - leave the password and userAccountStatus out of the create request, and issue a subsequent "update" request to set the password and set the accountStatus fields correctly.
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-06-19 09:27:07 -0600

Seen: 574 times

Last updated: Jun 19 '14