Horizon LDAP Error: An error occurred authenticating. Please try again later.

asked 2016-03-22 01:17:56 -0500

Cobalt60 gravatar image

updated 2016-03-22 18:39:58 -0500

I have migrated keystone to authenticate with Active Directory, using the LDAP identity backend, assignment is using the SQL backend.

When I attempt to login to horizon the following error message is returned;

An error occurred authenticating. Please try again later.

The only other relevant error message I can see, is in the horizon error log /var/log/httpd/error_log

Login failed for user "admin".

I can authenticate using a openrc file and use all the CLI tools. Authenticating though horizon appears to be the only thing that is failing. I have tried having Horizon use both keystone v2.0 and v3 APIs.

Users are listed correctly;

openstack --os-identity-api-version 2 user list
+-----------------------+------------+
| ID                    | Name       |
+-----------------------+------------+
| ldapauth@test.local   | ldapauth   |
| cinder@test.local     | cinder     |
| nova@test.local       | nova       |
| neutron@test.local    | neutron    |
| glance@test.local     | glance     |
| ceilometer@test.local | ceilometer |
| admin@test.local      | admin      |
+-----------------------+------------+

Service account users have been assigned roles and projects.

openstack --os-identity-api-version 2 user list --project service
+-----------------------+------------+
| ID                    | Name       |
+-----------------------+------------+
| nova@test.local       | nova       |
| cinder@test.local     | cinder     |
| glance@test.local     | glance     |
| ceilometer@test.local | ceilometer |
| neutron@test.local    | neutron    |
+-----------------------+------------+

Admin account has been assigned a role and project;

openstack --os-identity-api-version 2 user list --project admin
+---------------------+----------+
| ID                  | Name     |
+---------------------+----------+
| admin@test.local    | admin    |
+---------------------+----------+

My /etc/keystone/keystone.conf is as follows;

[DEFAULT]
admin_token = ****************
debug = true
verbose = true
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[cache]
backend = keystone.cache.memcache_pool
enabled = true
memcache_servers = test-oscn01.test.local:11211,test-oscn02.test.local:11211
[database]
connection = mysql://keystone:**********@test-osprox.test.local/keystone
[identity]
driver = keystone.identity.backends.ldap.Identity
[ldap]
url = ldap://192.168.200.167
user = CN=ldapauth,OU=Service Accounts,OU=TEST,DC=test,DC=local
password = *******
suffix = DC=test,DC=local
use_dumb_member = true
dumb_member = CN=ldapauth,OU=Service Accounts,OU=TEST,DC=test,DC=local
allow_subtree_delete = false
query_scope = sub
debug_level = 3
user_tree_dn = OU=TEST,DC=test,DC=local
user_objectclass = person
user_id_attribute = userPrincipalName
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_invert = false
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = default_project_id,tenants
user_default_project_id_attribute =
user_allow_create = false
user_allow_update = false
user_allow_delete = false
user_additional_attribute_mapping =
group_tree_dn = OU=TEST,DC=test,DC=local
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = ou
group_member_attribute = member
group_desc_attribute = description
group_attribute_ignore =
group_allow_create = false
group_allow_update = false
group_allow_delete = false
group_additional_attribute_mapping =
[memcache]
servers = test-oscn01.test.local:11211,test-oscn02.test.local:11211
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
[token]
provider = keystone.token.providers.uuid.Provider

The following parameters are set in the Horizon config /etc/openstack-dashboard/local_settings

OPENSTACK_API_VERSIONS = {
    "data-processing": 1.1,
    "identity": 3,
    "volume": 2,
}
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_KEYSTONE_BACKEND = {
    'name': 'ldap',
    'can_edit_user': False,
    'can_edit_group': False,
    'can_edit_project': True,
    'can_edit_domain': True,
    'can_edit_role': True,
}
edit retag flag offensive close merge delete