Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

unable to login horizon with LDAP

 hello,

I have installed RDO Newton on CentOS 7.3 and attempted to enable LDAP in keystone. Typical ldapsearch is successful but not via Horizon. This is an OpenLDAP server, not Active Directory. Did I make a mistake in my configuration?

--------------------------------------------------------
ldapsearch -x -b 'dc=example,dc=com' "uid=testuser"

dn: uid=testuser,ou=people,dc=example,dc=com
cn: Test User
sn: Test User
givenName: Test
uid: testuser
preferredLanguage: en_US
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
homeDirectory: /home/testuser
gecos: Test user
loginShell: /bin/bash
uidNumber: 1101
gidNumber: 1101
displayName: Test user
--------------------------------------------------------


--------------------------------------------------------
keystone.conf

[identity]
driver = ldap

url = ldap://ldap.example.com
user = cn=Manager,dc=example,dc=com
password = ****************
suffix = dc=example,dc=com

user_enabled_emulation = True
user_enabled_emulation_dn = ou=people,dc=example,dc=com

user_tree_dn = ou=people,dc=example,dc=com
user_objectclass = posixAccount
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_attribute = enabled

group_tree_dn = ou=ostack,dc=example,dc=com
group_objectclass = posixGroup
group_id_attribute = gidNumber
group_name_attribute = cn
group_member_attribute = memberUid
group_desc_attribute = description
role_allow_create = false
role_allow_update = false
role_allow_delete = false

--------------------------------------------------------
--------------------------------------------------------

attempts to login from Horizon

INFO keystone.common.wsgi [req-d56628a6-5bfc-48b8-893d-c306c8764370 - - - - -] POST http://10.10.30.30:5000/v3/auth/tokens
WARNING keystone.auth.plugins.core [req-d56628a6-5bfc-48b8-893d-c306c8764370 - - - - -] User is disabled: testuser
WARNING keystone.common.wsgi [req-d56628a6-5bfc-48b8-893d-c306c8764370 - - - - -] Authorization failed. The request you have made requires authentication. from 10.10.30.30

--------------------------------------------------------


openstack-status

== Nova services ==
openstack-nova-api:                     active
openstack-nova-compute:                 active
openstack-nova-network:                 inactive  (disabled on boot)
openstack-nova-scheduler:               active
openstack-nova-cert:                    active
openstack-nova-conductor:               active
openstack-nova-console:                 inactive  (disabled on boot)
openstack-nova-consoleauth:             active
openstack-nova-xvpvncproxy:             inactive  (disabled on boot)
== Glance services ==
openstack-glance-api:                   active
openstack-glance-registry:              active
== Keystone service ==
openstack-keystone:                     inactive  (disabled on boot)
== Horizon service ==
openstack-dashboard:                    active
== neutron services ==
neutron-server:                         active
neutron-dhcp-agent:                     active
neutron-l3-agent:                       active
neutron-metadata-agent:                 active
neutron-openvswitch-agent:              active
neutron-metering-agent:                 active
== Support services ==
mariadb:                                active
openvswitch:                            active
dbus:                                   active
rabbitmq-server:                        active
memcached:                              active
== Keystone users ==
/usr/bin/openstack-status: line 267: keystone: command not found
== Glance images ==
The request you have made requires authentication. (HTTP 401) (Request-ID: req-aa390d08-1c93-49cc-9a1e-9a3dd99fccef)
== Nova managed services ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-237f8990-1246-49ef-9371-759e6f3857eb)
== Nova networks ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-2f536802-2bf7-41cc-b15d-aef1c9458496)
== Nova instance flavors ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-e4893f5f-d6f2-49cf-b260-2097ccdd2574)
== Nova instances ==
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-1a58d5f0-2a1e-4f0f-bb27-7f4d00bd1ad9)