401 on authenticated keystone calls when using AD on Icehouse

asked 2014-08-12 15:09:15 -0500

anonymous user

Anonymous

updated 2014-08-12 18:52:56 -0500

I have been banging my head against the wall trying to figure this out. I have followed a couple examples precisely and cannot get AD to authentication properly. My keystone config and ldap dump are below. I really need someone better at AD backing keystone then I to take a look and point out what I am missing.

Note that when bypassing auth I can query successfully for roles, users and tenants. All list properly. However user-role-list causes error:

2014-08-12 16:44:14.144 10915 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:780
2014-08-12 16:44:14.145 10915 ERROR keystone.common.wsgi [-] 'utf8' codec can't decode byte 0x9d in position 13: invalid start byte
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     result = method(context, **params)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/controllers.py", line 204, in get_user_roles
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     user_id, tenant_id)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 180, in get_roles_for_user_and_project
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     user_role_list = _get_user_project_roles(user_id, project_ref)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 161, in _get_user_project_roles
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     tenant_id=project_ref['id'])
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/ldap.py", line 118, in _get_metadata
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     tenant_id)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/ldap.py", line 91, in _get_roles_for_just_user_and_project
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     user_dn = self.user._id_to_dn(user_id)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 473, in _id_to_dn
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     'objclass': self.object_class})
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 823, in search_s
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     py_result = convert_ldap_result(ldap_result)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap ...
(more)
edit retag flag offensive close merge delete

Comments

Is it a requirement for Tenants and Roles to be in AD? Is it possible to use AD just for authentication and then use MySQL for role assignment? If so It is much easier to setup.

mpetason gravatar imagempetason ( 2014-09-02 15:27:34 -0500 )edit