Ask Your Question
0

keystone user-create error while using LDAP

asked 2015-02-27 09:43:18 -0600

ogzy gravatar image

I have activated Assginment setting at Juno at keystone as below


[identity] 
driver = keystone.identity.backends.ldap.Identity

[assignment] driver = keystone.assignment.backends.sql.Assignment

Installed slapd, entered my domain as foo.com.tr and set an admin passwod during the installation asks me. Then by using the below ldif i added groups, users, projects and tenants to the DIT


dn: ou=Groups,dc=foo,dc=com,dc=tr
objectClass: top objectClass:
organizationalUnit ou: Groups

dn: ou=Users,dc=foo,dc=com,dc=tr objectClass: top objectClass: organizationalUnit ou: Users

dn: ou=Roles,dc=foo,dc=com,dc=tr objectClass: top objectClass: organizationalUnit ou: Roles

dn: ou=Projects,dc=foo,dc=com,dc=tr objectClass: top objectClass: organizationalUnit ou: Projects


$ ldapsearch -x -LLL -H ldap:/// -b dc=foo,dc=com,dc=tr dn
dn: dc=foo,dc=com,dc=tr
dn: cn=admin,dc=foo,dc=com,dc=tr
dn: ou=Groups,dc=foo,dc=com,dc=tr
dn: ou=Users,dc=foo,dc=com,dc=tr
dn: ou=Roles,dc=foo,dc=com,dc=tr
dn: ou=Projects,dc=foo,dc=com,dc=tr

The problem occurs when i try to add a user

Assuming i have sourced the keystone creds


$ keystone user-create --name admin --pass admin --email oguzyarimtepe@gmail.com
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
An unexpected error prevented the server from fulfilling your request: {'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute type'} (Disable debug mode to suppress these details.) (HTTP 500)

keystone-all.log:


2015-02-27 17:20:26.056 6550 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:575
2015-02-27 17:20:26.056 6550 DEBUG keystone.common.ldap.core [-] LDAP bind: who=cn=admin,dc=foo,dc=com,dc=tr simple_bind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:891
2015-02-27 17:20:26.057 6550 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=0f0c832a043f4e9cbd950a172823657b,ou=Users,dc=foo,dc=com,dc=tr attrs=[('objectClass', [u'person', u'inetOrgPerson']), ('mail', [u'oguzyarimtepe@gmail.com']), ('userPassword', ['*']), ('enabled', [u'TRUE']), ('cn', [u'0f0c832a043f4e9cbd950a172823657b']), ('sn', [u'admin'])] add_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:910
2015-02-27 17:20:26.057 6550 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:899
2015-02-27 17:20:26.057 6550 ERROR keystone.common.wsgi [-] {'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute type'}
2015-02-27 17:20:26.057 6550 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-02-27 17:20:26.057 6550 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 223, in __call__
2015-02-27 17:20:26.057 6550 TRACE keystone.common.wsgi     result = method(context, *params)
2015-02-27 17:20:26.057 6550 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 82, in ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-03-03 08:27:51 -0600

Sahana gravatar image

When i tried on Centos 7 with Juno version, i followed the below commands to create user on LDAP server and validate through keystone. And it works well for me.

Create a new User

$ keystone user-create --name demo --email onecloud@demo.com

Updating Password for the new user

$ keystone user-password-update secret

Check the newly created user using Keystone user-list command.

edit flag offensive delete link more
0

answered 2015-02-27 10:50:39 -0600

mpetason gravatar image

You'll need to update these settings in keystone:

# Allow user creation in LDAP backend. (boolean value)
#user_allow_create=true
# Allow user updates in LDAP backend. (boolean value)
#user_allow_update=true
# Allow user deletion in LDAP backend. (boolean value)
#user_allow_delete=true

If you are wanting to do this through Horizon you will also have to enable the ability through the Dashboard:

OPENSTACK_KEYSTONE_BACKEND = {
'name': 'native',
'can_edit_user': True,
'can_edit_group': True,
'can_edit_project': True,
'can_edit_domain': True,
'can_edit_role': True
}
edit flag offensive delete link more

Comments

Adding True values for user crud operations didn't help. Still have the same problem.

ogzy gravatar imageogzy ( 2015-03-02 00:43:25 -0600 )edit

Were you able to restart the service after making the updates? Did you do any setup on AD such as setting up Unix Services?

mpetason gravatar imagempetason ( 2015-03-02 08:15:09 -0600 )edit

user_enabled_emulation = True solved the issue in addition to yours.

ogzy gravatar imageogzy ( 2015-03-03 01:08:47 -0600 )edit

Ok cool. That may be a newer option that I am not aware of. I haven't had to set this up since Havana.

mpetason gravatar imagempetason ( 2015-03-03 08:38:03 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-02-27 09:43:18 -0600

Seen: 437 times

Last updated: Mar 03 '15