Horizon LDAP Error: An error occurred authenticating. Please try again later.
I have migrated keystone to authenticate with Active Directory, using the LDAP identity backend, assignment is using the SQL backend.
When I attempt to login to horizon the following error message is returned;
An error occurred authenticating. Please try again later.
The only other relevant error message I can see, is in the horizon error log /var/log/httpd/error_log
Login failed for user "admin".
I can authenticate using a openrc file and use all the CLI tools. Authenticating though horizon appears to be the only thing that is failing. I have tried having Horizon use both keystone v2.0 and v3 APIs.
Users are listed correctly;
openstack --os-identity-api-version 2 user list
+-----------------------+------------+
| ID | Name |
+-----------------------+------------+
| ldapauth@test.local | ldapauth |
| cinder@test.local | cinder |
| nova@test.local | nova |
| neutron@test.local | neutron |
| glance@test.local | glance |
| ceilometer@test.local | ceilometer |
| admin@test.local | admin |
+-----------------------+------------+
Service account users have been assigned roles and projects.
openstack --os-identity-api-version 2 user list --project service
+-----------------------+------------+
| ID | Name |
+-----------------------+------------+
| nova@test.local | nova |
| cinder@test.local | cinder |
| glance@test.local | glance |
| ceilometer@test.local | ceilometer |
| neutron@test.local | neutron |
+-----------------------+------------+
Admin account has been assigned a role and project;
openstack --os-identity-api-version 2 user list --project admin
+---------------------+----------+
| ID | Name |
+---------------------+----------+
| admin@test.local | admin |
+---------------------+----------+
My /etc/keystone/keystone.conf is as follows;
[DEFAULT]
admin_token = ****************
debug = true
verbose = true
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[cache]
backend = keystone.cache.memcache_pool
enabled = true
memcache_servers = test-oscn01.test.local:11211,test-oscn02.test.local:11211
[database]
connection = mysql://keystone:**********@test-osprox.test.local/keystone
[identity]
driver = keystone.identity.backends.ldap.Identity
[ldap]
url = ldap://192.168.200.167
user = CN=ldapauth,OU=Service Accounts,OU=TEST,DC=test,DC=local
password = *******
suffix = DC=test,DC=local
use_dumb_member = true
dumb_member = CN=ldapauth,OU=Service Accounts,OU=TEST,DC=test,DC=local
allow_subtree_delete = false
query_scope = sub
debug_level = 3
user_tree_dn = OU=TEST,DC=test,DC=local
user_objectclass = person
user_id_attribute = userPrincipalName
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_invert = false
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = default_project_id,tenants
user_default_project_id_attribute =
user_allow_create = false
user_allow_update = false
user_allow_delete = false
user_additional_attribute_mapping =
group_tree_dn = OU=TEST,DC=test,DC=local
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = ou
group_member_attribute = member
group_desc_attribute = description
group_attribute_ignore =
group_allow_create = false
group_allow_update = false
group_allow_delete = false
group_additional_attribute_mapping =
[memcache]
servers = test-oscn01.test.local:11211,test-oscn02.test.local:11211
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
[token]
provider = keystone.token.providers.uuid.Provider
The following parameters are set in the Horizon config /etc/openstack-dashboard/local_settings
OPENSTACK_API_VERSIONS = {
"data-processing": 1.1,
"identity": 3,
"volume": 2,
}
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_KEYSTONE_BACKEND = {
'name': 'ldap',
'can_edit_user': False,
'can_edit_group': False,
'can_edit_project': True,
'can_edit_domain': True,
'can_edit_role': True,
}