Ask Your Question
0

Liberty: Configure LDAP Active Directory back end for Keystone

asked 2016-02-29 13:41:31 -0500

Nogginboink gravatar image

updated 2016-03-01 09:59:51 -0500

I am attempting to set up an OpenStack platform that can query my company's Active Directory via LDAP to authenticate users.

I have set up my controller node through the installation of Keystone per the installation guide. I have service accounts set up in the default domain backed by the sql engine. I have an admin user and a demo user. I have an admin project and a demo project. I have user and admin roles set up.

I edited keystone.conf and enabled domain specific drivers and have set a domain config directory.

I restarted apache2 and ran openstack domain create --description "CorpNet Users" --enable corpnet.

I created /etc/keystone/domains/keystone.corpnet.conf. In it I think I set up LDAP parameters correctly, by using ldapsearch on the Linux command line to determine an appropriate LDAP server and other parameters for querying LDAP. The domain specific file looks like this:

[identity]
driver = ldap

[assignment]
driver = sql

[ldap]
url = ldap://DomainController.CorpSubDomain.CorpDomain.com
user = CN=MyUserName,OU=users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
#user = "myusername@CorpSubDomain.CorpDomain.com" #I have tried both user syntaxes with the same results
password = myPassword


user_tree_dn = OU=Users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
user_objectclass = person
#user_filter =
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
#user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_tree_dn = ou=Groups,DC=CorpSubDomain,DC=CorpDomain,DC=com
group_objectclass = groupOfNames
group_allow_create = False
group_allow_update = False
group_allow_delete = False

However, I'm not quite sure what to do next. Should all the LDAP users automatically be OpenStack users? If I run openstack user list I get The request you have made requires authentication. (HTTP 401)

If I run openstack user list --domain default I get a list of the users I created in the default domain.

If I run openstack user list --domain corpnet I get no output (but also get no error message).

If I attempt to use the default admin user to add my corpnet username as an admin of the admin project (openstack role add --domain corpnet --user MyUserName admin) I again get The request you have made requires authentication.

If I run openstack role add --domain <identifier> --user MyUserName admin as one answer suggested, I also get an error that authentication is required.

In /var/log/keystone/keystone-wsgi-admin.log, I see that the "The request you have made requires authentication" seems to always be preceded by "No domain information specified as part of list request." Yet I did specify the domain (didn't I?) in my list request.

As you can guess, I am not an administrator of the corporate AD infrastructure, so I have limited ability to troubleshoot from the LDAP server side.

It seems that I'm close to getting this working, but that I'm missing a key piece of the puzzle here. If anyone could suggest what my next step should be, or how to troubleshoot further ... (more)

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2016-05-14 04:03:13 -0500

weber_daniel gravatar image

updated 2016-05-14 04:04:05 -0500

Hello

I run into same Errors, seems like the Documentation is there, but for a novice user it's hard to overcome the obvious problems.

I assume you have preconfigured the user, so in the SQL Database the Users have been entered with the User-ID, not the name. With that in mind, you see that your users, you try to login, have no rights. Also the service Users have no rights either.

There are two solution to this: 1. Recreate all the users even the service users with admin_token 2. Create Users and apply correct User ID's in Active Directory

But first you should decouple the Username form the User ID, change the following in your configuration:

user_name_attribute = cn to user_name_attribute = sAMAccountName

like this, you can use the normal Login name as in active Directory.

Now if you want to recreate all the users you have to use admin Token.

Look at http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html (http://docs.openstack.org/liberty/ins...)

Configure ADMIN_TOKEN in /etc/keystone/keystone.conf and use the export commands

export OS_TOKEN=294a4c8a8a475f9b9836
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

(Keep in mind, you shouldn't run the source command before, just open a new session to be sure)

then you can recreate all the services users.

But if you want to do the easier way, just change the CN of your services user in Active Directory

User Mysql on the Keystone Database to get all the ID's of the users:

mysql -uroot use keystone select id, name from user;

After changing the CN, restart the Keystone by useing service apache2 restart. Then you should be able to use LDAP Login.

Hope this helps someone else, as i had hours to solve this problem.

Regards: Daniel

edit flag offensive delete link more

Comments

Very good explanation, I had the same issue. I didn't recreate the openstack users, instead I changed the User-IDs in the database directly, that works too.

eblock gravatar imageeblock ( 2016-05-17 04:44:24 -0500 )edit
add a comment
0

answered 2016-10-03 12:54:55 -0500

Lakshmi gravatar image

Hi,

My Name is LakshmiNarayana and I am very new to openstack.

I have installed the openstack Mitaka(with help of http://docs.openstack.org/draft/install-guide-rdo/common/conventions.html (http://docs.openstack.org/draft/insta...))

I am trying to integrate Active directory 2012 as backend with Openstack Mitaka Keystone through ldap and below is my ldap domain configuration

[ldap] url = ldaps://HOSDC.hos.com:636 user = cn=administrator,cn=Users,dc=hos,dc=com password = atmecs@1234 suffix = dc=hos,dc=com user_tree_dn = cn=Users,dc=hos,dc=com user_objectclass = person user_filter = (memberOf=cn=Users,cn=hos,cn=com) user_id_attribute = sAMAccountName user_name_attribute = sAMAccountName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = False user_allow_update = False user_allow_delete = False use_tls = False tls_cacertfile = /etc/ssl/certs/server_cert.crt query_scope = sub

[identity]

driver = keystone.identity.backends.ldap.Identity

But not able to retrieve the users information from Active directory and not getting any error message.

Below are logs from keytsone.log

2016-10-03 06:49:09.600 27104 INFO keystone.common.wsgi [req-d14b3f5b-3c1d-418b-9a2e-8cdc698f934e - - - - -] GET http://controller:35357/v3/ 2016-10-03 06:49:09.610 27106 INFO keystone.common.wsgi [req-86e535b4-1bbc-4541-aec2-977ee71eaf30 - - - - -] POST http://controller:35357/v3/auth/tokens 2016-10-03 06:49:09.741 27106 INFO keystone.token.providers.fernet.utils [req-86e535b4-1bbc-4541-aec2-977ee71eaf30 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/ 2016-10-03 06:49:09.747 27105 INFO keystone.common.wsgi [req-bcd779b5-5daf-496f-989d-16ad4415c26b - - - - -] POST http://controller:35357/v3/auth/tokens 2016-10-03 06:49:09.876 27105 INFO keystone.token.providers.fernet.utils [req-bcd779b5-5daf-496f-989d-16ad4415c26b - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/ 2016-10-03 06:49:09.880 27108 INFO keystone.token.providers.fernet.utils [req-762bba96-cc61-4ba3-baa6-54bdbc705a22 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/ 2016-10-03 06:49:09.940 27108 INFO keystone.common.wsgi [req-762bba96-cc61-4ba3-baa6-54bdbc705a22 285ebd0e744f49cabd80baecff9f4e00 c7ba6bc5419845d2b8010eabb3b2e950 - 46bdf8c3a8ab4ac4885a9ffd52a7cff3 46bdf8c3a8ab4ac4885a9ffd52a7cff3] GET http://controller:35357/v3/domains/hos 2016-10-03 06:49:09.943 27108 WARNING keystone.common.wsgi [req-762bba96-cc61-4ba3-baa6-54bdbc705a22 285ebd0e744f49cabd80baecff9f4e00 c7ba6bc5419845d2b8010eabb3b2e950 - 46bdf8c3a8ab4ac4885a9ffd52a7cff3 46bdf8c3a8ab4ac4885a9ffd52a7cff3] Could not find domain: hos 2016-10-03 06:49:09.947 27107 INFO keystone.token.providers.fernet.utils [req-674d6525-0ea6-416e-a4b1-928d78a9f6c7 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/ 2016-10-03 06:49:10.012 27107 INFO keystone.common.wsgi [req-674d6525-0ea6-416e-a4b1-928d78a9f6c7 285ebd0e744f49cabd80baecff9f4e00 c7ba6bc5419845d2b8010eabb3b2e950 - 46bdf8c3a8ab4ac4885a9ffd52a7cff3 46bdf8c3a8ab4ac4885a9ffd52a7cff3] GET http://controller:35357/v3/domains?name=hos (http://controller:35357/v3/domains?na...) 2016-10-03 06:49:10.022 27104 INFO keystone.token.providers.fernet.utils [req-bdc65445-47b9-471c-b9d9-83c71836ad76 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/

2016-10-03 06:49:10.087 27104 INFO keystone.common.wsgi [req-bdc65445-47b9-471c-b9d9-83c71836ad76 285ebd0e744f49cabd80baecff9f4e00 c7ba6bc5419845d2b8010eabb3b2e950 - 46bdf8c3a8ab4ac4885a9ffd52a7cff3 46bdf8c3a8ab4ac4885a9ffd52a7cff3] GET http://controller:35357/v3/users?domain_id=d9a257f1fd194963bcf7ea458bbdcc72 (http://controller:35357/v3/users?doma...)

Command output

[root@controller keystone]# openstack user list --domain default +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 025e27db10f54c02bf0fdf0e9936484d | nova | | 20430d5fddd74359a0efc19c0df449c4 | neutron | | 285ebd0e744f49cabd80baecff9f4e00 | admin | | ab56f1e2bfd34db8a903e94721a14c5e | demo | | e7fc6ae55ec846cda34032dc31714cb2 | glance | | f31ee500775a4704bd05a3e23f279701 | lak | +----------------------------------+---------+ [root@controller keystone]# openstack user list --domain hos

[root@controller keystone]#

Someone please help me out... Do I need to change anything in AD or Keystone?

Regards, Lakshmi

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2016-02-29 13:41:31 -0500

Seen: 1,161 times

Last updated: May 14 '16

Related questions

Replaced openDj ldap with freeipa ldap. Do we have to make any chnages in keystone other than replacing the ldap_url?

keystone Failed to start the admin server

nova list not working

keystone endpoint

How to detect keystone version

Where do I find the horizon login url view?

Verify Keystone with Curl

Keystone with LDAP can't bind to dc=example,dc=com

Keystone Client Always output 'printt'

kolla-ansible Keystone Federation