Ask Your Question

LDAP class groupOfNames requires attribute 'member' [closed]

asked 2013-11-14 10:11:37 -0500

Romain gravatar image

Hello everyone, I'm trying to plug Keystone with an LDAP. I'm stuck because of an error while setting keystone.

keystone --debug tenant-create --name=admin --description="Admin Tenant"

Nov 14 16:57:21 ldap slapd[2790]: Entry (cn=6a1f1f16fde54caea3e1cae225f38ec1,ou=Tenants,dc=example,dc=com): object class 'groupOfNames' requires attribute 'member'
Nov 14 16:57:21 ldap slapd[2790]: conn=1008 op=1 RESULT tag=105 err=65 text=object class 'groupOfNames' requires attribute 'member'
Nov 14 16:57:21 ldap slapd[2790]: conn=1008 op=2 UNBIND
Nov 14 16:57:21 ldap slapd[2790]: conn=1008 fd=18 closed

The LDAP part of my keystone conf file looks like this: [ldap]

url = ldap://ldap
user = cn=admin,dc=example,dc=com
password = password
suffix = cn=example,cn=com
use_dumb_member = False
allow_subtree_delete = False
user_tree_dn = ou=Users,dc=example,dc=password
user_objectclass = inetOrgPerson
user_id_attribute = cn
user_name_attribute = cn
user_allow_create = True
user_allow_update = True
tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_domain_id_attribute = businessCategory
tenant_id_attribute = cn
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_enabled_attribute = enabled
tenant_allow_create = True
tenant_allow_update = True
role_tree_dn = ou=Roles,dc=example,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
group_tree_dn = ou=Groups,dc=example,dc=com
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = ou
group_member_attribute = member
group_desc_attribute = desc
group_allow_create = True
group_allow_update = True

According to it, member attribute is set for tenant. So, what is wrong with my setup?

Thanks beforehand.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Romain
close date 2013-12-20 06:38:54.195793

1 answer

Sort by ยป oldest newest most voted

answered 2013-11-14 16:31:33 -0500

larsks gravatar image

updated 2013-11-14 16:32:32 -0500

The RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

  • You can modify your local LDAP schema to allow member-less groups.
  • You can use a directory server -- such as 389 -- that already has this change.
  • You can enable the following in your keystone configuration:

    use_dumb_member = True
    dumb_member = cn=dumb,dc=example,dc=com

    This will create a dummy entry in groups to avoid the problem with memberless groups.

edit flag offensive delete link more


Thanks Larsks, I have tested the third option and it solved THIS issue. I have other ones to deal with :-)

Romain gravatar imageRomain ( 2013-11-15 01:59:03 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2013-11-14 10:11:37 -0500

Seen: 3,384 times

Last updated: Nov 14 '13