Ask Your Question
0

Keystone AD unable to login INVALID_CREDENTIALS

asked 2014-09-08 11:26:50 -0600

stdg11 gravatar image

updated 2014-09-09 16:46:46 -0600

Hi Peeps,

Im trying to integrate Keystone with our existing setup and have reached a stand still.

When I try and login I get the following: http://paste.openstack.org/show/108364/ (keystone-all.log)

My config (minus not binding to root but an OU) is the same as this: https://gist.github.com/cjellick/e5409d9557a25e36e926 (keystone.conf)

If I authenticate with the Admin token in the CLI and do a keystone user-list it returns all the users in the OU as expected. My admin account previous to this was cloudadmin therefore I have created the same user in AD with the same password, this is also the bind credential. I can see this user in the keystone user-list however I cannot login with it due to the above error.

Im running Icehouse on Ubuntu 14.04 authenticating against a Windows 2012 DC.

Am I missing something simple? Have I gone about this from the wrong direction? Any help would be greatly appreciated.

UPDATE: I changed cloudadmins password to a less complex one without alphanumerics. I now get

For a user that does exist:

 __init__ /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:711
2014-09-08 17:45:37.357 2906 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=cloudadmin,OU=Users,DC=foo,DC=co,DC=uk simple_bind_s /usr/lib/python2.7/dist-packages$
2014-09-08 17:45:37.359 2906 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Users,DC=foo,DC=co,DC=uk, scope=2, query=(&(sAMAccountName=cloudadmin)(objectclass=$
2014-09-08 17:45:37.362 2906 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:777
2014-09-08 17:45:37.363 2906 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'$
2014-09-08 17:45:37.364 2906 WARNING keystone.common.wsgi [-] Authorization failed. Invalid user / password from 127.0.0.1
2014-09-08 17:45:37.365 2906 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [08/Sep/2014 17:45:37] "POST /v2.0/tokens HTTP/1.1" 401 305 0.029481
2014-09-08 17:47:49.730 2906 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/cor$
2014-09-08 17:47:49.732 2906 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/dist-packages/keystone/common/wsgi.py:181
2014-09-08 17:47:49.735 2906 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://10.0.77.101 __init__ /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:701
2014-09-08 17:47:49.736 2906 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1

For a user that doesn't exist:

__init__ /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:711
2014-09-08 17:47:49.737 2906 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=cloudadmin,OU ...
(more)
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-11-20 16:38:36 -0600

stdg11 gravatar image

updated 2014-11-20 16:41:12 -0600

Upon upgrading today it magically started working with a split identity/assignment backend. See working config below.

All I had to do was create the appropriate OpenStack users for me Nova and Glance in AD with the same passwords initially used in the setup. Then do a keystone user-role-add assigning it to the admin project and service tenant.

[assignment]
driver=keystone.assignment.backends.sql.Assignment
[identity]
driver=keystone.identity.backends.ldap.Identity
[ldap]

url=ldap://dc.example.co.uk
user=CN=osad,OU=Users,DC=example,DC=co,DC=uk
password=*****
query_scope=sub
page_size=2000
suffix=DC=example,DC=co,DC=uk
use_dumb_member=True
dumb_member=CN=osad,OU=Users,DC=example,DC=co,DC=uk

user_tree_dn=OU=Users,DC=example,DC=co,DC=uk
user_objectclass=organizationalPerson

user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail

user_enabled_attribute = userAccountControl
user_enabled_default = 512
user_enabled_mask = 2

user_allow_create = False
user_allow_update = False
user_allow_delete = False
edit flag offensive delete link more
add a comment
0

answered 2014-09-08 12:00:49 -0600

mpetason gravatar image

updated 2014-09-08 12:01:41 -0600

This: 

user_name_attribute=sAMAccountName
user_id_attribute=sAMAccountName

should be

user_name_attribute=sAMAccountName
user_id_attribute=cn

After that you have to associate all of the accounts with tenants and roles.

edit flag offensive delete link more

Comments

Thanks for the reply! Ive made the above changes and ran keystone user-role-add --user=00AA11 --role=_member_ --tenant=Student_Test however i'm still getting an invalid credentials error. and am still unable to login via cloudadmin.

stdg11 gravatar imagestdg11 ( 2014-09-08 17:00:42 -0600 )edit

Were you able to add cloudadmin(LDAP User) to the tenant Admin with the role Admin? You would need to do this first, then go in and add new users. I don't think I would use role "_member_" unless you set that up.

mpetason gravatar imagempetason ( 2014-09-09 16:03:21 -0600 )edit

I just took a look in the assignment mysql table, there were four entries for cloudadmin including the admin tenant and role. I've deleted all of these and run keystone user-role-add --user=cloudadmin --role=admin --tenant=admin however im still getting Invalid Username / Password.

stdg11 gravatar imagestdg11 ( 2014-09-09 16:38:58 -0600 )edit

Im still getting this in this keystone-all logfile:

2014-09-09 22:34:07.566 21686 WARNING keystone.common.wsgi [-] Authorization failed. Invalid user / password from 127.0.0.1
stdg11 gravatar imagestdg11 ( 2014-09-09 16:40:43 -0600 )edit

Start with this guide instead, only skip the tenant + role setup since you are using sql for assignment. Verify your configuration options against the conf:

http://behindtheracks.com/2013/08/ope...

mpetason gravatar imagempetason ( 2014-09-09 16:50:54 -0600 )edit
see more comments

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-09-08 11:26:50 -0600

Seen: 1,593 times

Last updated: Nov 20 '14

Related questions

How to change keystone policy?

keystone not following config file

os-auth-url or env[OS_AUTH_URL]

deleted admin role by accident

Keystone and Nova Users

instance launch failure on hyperv

How to cleanly remove a user

Adding ssl to keystone API

Unable to login to horizon

problem when running command