Unable to integrate Openstack with Active Directory

asked 2014-09-05 07:43:35 -0600

ankush grover gravatar image

updated 2014-09-09 07:04:20 -0600

Hi Friends,

I am running Openstack Icehouse on Centos 6.5 64-bit with Nova Network without any issues. Now I am trying to configure keystone to talk to Active Directory for users & groups and sql for assignment(tenants & role). But I am getting the below error whenever I try to login onto Dashboard with the Active Directory user or through command line.

keystone tenant-list
User Ankush Grover is unauthorized for tenant baa9facc83d3498cb29c1b694d33b5d8 (HTTP 401)
keystone user-list
User Ankush Grover is unauthorized for tenant baa9facc83d3498cb29c1b694d33b5d8 (HTTP 401)
keystone user-list
User admin is unauthorized for tenant d2780c405b5640829b547c96a1a75e80 (HTTP 401)

On Dashboard the error is " You are not authorized for any projects."

The admin & ankush(ankush grover) users are already created in openstack and have admin access but somehow keystone refuse to allow them to authorize.

    tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| d2780c405b5640829b547c96a1a75e80 |  admin   |   True  |
| 2c44a987e331411c9a2f2b4d0cd3f691 |   demo   |   True  |
| b1ffc0d30bcd4c2aaa37a7ed43a860ec | service  |   True  |
| baa9facc83d3498cb29c1b694d33b5d8 | services |   True  |
+----------------------------------+----------+---------+

keystone user-role-list  (ankush access on the services tenant)
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 4adf5986a1994484b204431e50920659 | d2780c405b5640829b547c96a1a75e80 |
| aeb38e33d5524ef899a58c1e369a0f99 |  admin   | 4adf5986a1994484b204431e50920659 | d2780c405b5640829b547c96a1a75e80 |
+----------------------------------+----------+----------------------------------+----------------------------------+

keystone user-list
+----------------------------------+-----------------+---------+---------------------------------+
|                id                |       name      | enabled |              email              |
+----------------------------------+-----------------+---------+---------------------------------+
| a8fd484ee6e048d699ba98c8159948dc |      admin      |   True  |          test@test.com          |
| 4adf5986a1994484b204431e50920659 |  ankush  |   True  | ankush@example.com |

keystone.conf file with ldap entries

[identity]
driver=keystone.identity.backends.ldap.Identity

[ldap]
url=ldap://domaincontroller:3268  (global catalog server)
user=op.auth@example.com
password=xzxzxxx
query_scope=sub
page_size=2000

user_tree_dn=DC=example,DC=com
user_objectclass=person

user_name_attribute=sAMAccountName
user_id_attribute=cn
user_mail_attribute=mail

user_enabled_attribute=userAccountControl
user_enabled_default=512
user_enabled_mask=2
user_enabled_emulation=False

user_allow_delete=False
user_allow_create=False
user_allow_update=False

group_tree_dn=DC=example,DC=com
group_objectclass=group

group_id_attribute=cn
group_name_attribute=name
group_member_attribute=member
group_desc_attribute=description

group_allow_update=False
group_allow_delete=False
group_allow_create=False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

Now after integration with AD not able to edit or add new projects.

2014-09-09 17:10:01.459 4241 INFO eventlet.wsgi.server [-] 172.16.10.205 - - [09/Sep/2014 17:10:01] "POST /v2.0/tokens HTTP/1.1" 404 251 0.017061
2014-09-09 17:10:01.491 4241 WARNING keystone.common.wsgi [-] Could not find user, a8fd484ee6e048d699ba98c8159948dc.

keystone user-role-add --user-id=a8fd484ee6e048d699ba98c8159948dc --tenant-id=d2780c405b5640829b547c96a1a75e80 --role-id=aeb38e33d5524ef899a58c1e369a0f99
No user with a name or ID of 'a8fd484ee6e048d699ba98c8159948dc' exists.

Keystone DB

select * from user where name="admin";
+----------------------------------+-------+----------------------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
| id                               | name  | extra                      | password                                                                                                                | enabled | domain_id | default_project_id               |
+----------------------------------+-------+----------------------------+-------------------------------------------------------------------------------------------------------------------------+---------+-----------+----------------------------------+
| a8fd484ee6e048d699ba98c8159948dc | admin | {"email": "test@test.com"} | $6$rounds=40000$0EbEq0J2OrIhgUCQ$frLUKRZsdfgaQIHrNEgANovwjA20kzGq25W3TSXJ8XP1jRYEskwvkjFN1YVM.STCYKoc6eIlMA1aLpKKs.O3w0 |       1 | default   | d2780c405b5640829b547c96a1a75e80 |
+----------------------------------+-------+----------------------------+-----------------------------------

What should be done to fix this..

edit retag flag offensive close merge delete

Comments

Thanks it worked by adding the users in the role. Followed the steps on this page -> http://www.mattfischer.com/blog/?p=545 Now facing another issue that is I am not able to edit projects(tenants) from the frontend as keystone complains that old admin(sql user) is not found whereas it is there indb

ankush grover gravatar imageankush grover ( 2014-09-09 06:52:01 -0600 )edit

You have to move all service accounts and admin accounts to AD. Then use those credentials for auth. You have to use your token until you have setup an admin user in AD and assigned it to the role admin for the tenant.

mpetason gravatar imagempetason ( 2014-09-09 08:36:34 -0600 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-09-09 07:12:53 -0600

ankush grover gravatar image

Problem got fixed by using user_filter attribute

user_filter=(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=openstack-cloud,ou=testcloud,dc=example,dc=com))

edit flag offensive delete link more
0

answered 2014-09-05 08:38:14 -0600

mpetason gravatar image

If you set this all up with SQL first then moved over to LDAP then you will need to make sure you setup all of the accounts with their Roles again. Since the admin user and service accounts are different than the ones created with SQL they need role-add done for all of them.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-09-05 07:43:35 -0600

Seen: 1,085 times

Last updated: Sep 09 '14