Keystone AD unable to login INVALID_CREDENTIALS
Hi Peeps,
Im trying to integrate Keystone with our existing setup and have reached a stand still.
When I try and login I get the following: http://paste.openstack.org/show/108364/ (keystone-all.log)
My config (minus not binding to root but an OU) is the same as this: https://gist.github.com/cjellick/e5409d9557a25e36e926 (keystone.conf)
If I authenticate with the Admin token in the CLI and do a keystone user-list
it returns all the users in the OU as expected. My admin account previous to this was cloudadmin therefore I have created the same user in AD with the same password, this is also the bind credential. I can see this user in the keystone user-list
however I cannot login with it due to the above error.
Im running Icehouse on Ubuntu 14.04 authenticating against a Windows 2012 DC.
Am I missing something simple? Have I gone about this from the wrong direction? Any help would be greatly appreciated.
UPDATE: I changed cloudadmins password to a less complex one without alphanumerics. I now get
For a user that does exist:
__init__ /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:711
2014-09-08 17:45:37.357 2906 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=cloudadmin,OU=Users,DC=foo,DC=co,DC=uk simple_bind_s /usr/lib/python2.7/dist-packages$
2014-09-08 17:45:37.359 2906 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Users,DC=foo,DC=co,DC=uk, scope=2, query=(&(sAMAccountName=cloudadmin)(objectclass=$
2014-09-08 17:45:37.362 2906 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:777
2014-09-08 17:45:37.363 2906 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'$
2014-09-08 17:45:37.364 2906 WARNING keystone.common.wsgi [-] Authorization failed. Invalid user / password from 127.0.0.1
2014-09-08 17:45:37.365 2906 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [08/Sep/2014 17:45:37] "POST /v2.0/tokens HTTP/1.1" 401 305 0.029481
2014-09-08 17:47:49.730 2906 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/cor$
2014-09-08 17:47:49.732 2906 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/dist-packages/keystone/common/wsgi.py:181
2014-09-08 17:47:49.735 2906 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://10.0.77.101 __init__ /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:701
2014-09-08 17:47:49.736 2906 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
For a user that doesn't exist:
__init__ /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:711
2014-09-08 17:47:49.737 2906 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=cloudadmin,OU ...