Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

can't retrieve users and groups from MS AD with keystone integration

Hi, I'm knew with openstack. I've installed Ocata openstack over CentOs, seams it's working. Now I'm trying to configure integration with our internal/std Directory Service (Microsoft AD, 2003 level).. I've tried to follow the links: http://redhat.slides.com/mlopes/integrate-active-directory-with-openstack-keystone#/11 https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html. I'm able to log on Horizon dashaboard with local users and default domain.. but I'm not able to login with MS AD related user (because I can't retrieve user/group from AD in order to get right to them in the openstack recently created domain ). If I invoke "openstak users list --domain <mydomainname configure="" in="" special="" config="" file="" under="" etc="" keystone="" domains=""> it doesn't return nothing to me.. same thing with openstack group list --domain <myadomainname>

I'm not seeing too mutch critical alarms at keyston.log:

=====================

*2017-06-26 22:03:03.229 13078 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0 2017-06-26 22:03:16.547 535 INFO keystone.common.wsgi [req-20c076da-ea48-4c0f-a58c-ad900676d407 - - - - -] GET http://dcprd052113:5000/v3/ 2017-06-26 22:03:16.561 534 INFO keystone.common.wsgi [req-4d5e9f99-fc59-4ef9-8073-e450f3663c93 - - - - -] POST http://dcprd052113:5000/v3/auth/tokens 2017-06-26 22:03:16.754 535 INFO keystone.common.wsgi [req-5f27825d-b427-42e0-a4b5-a874cef6b92d - - - - -] POST http://dcprd052113:5000/v3/auth/tokens 2017-06-26 22:03:16.949 532 INFO keystone.common.wsgi [req-619b7702-37b7-43e4-bf36-1ad4fecbcfe2 - - - - -] GET http://dcprd052113:35357/v3/ 2017-06-26 22:03:17.057 533 INFO keystone.common.wsgi [req-c63a30f3-482a-448b-b4ef-e6461fd2643e 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/domains/wegnet 2017-06-26 22:03:17.061 533 WARNING keystone.common.wsgi [req-c63a30f3-482a-448b-b4ef-e6461fd2643e 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] Could not find domain: wegnet. 2017-06-26 22:03:17.200 532 INFO keystone.common.wsgi [req-9eb6211c-1b41-443c-9da5-84f953d1e459 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/domains/wegnet 2017-06-26 22:03:17.204 532 WARNING keystone.common.wsgi [req-9eb6211c-1b41-443c-9da5-84f953d1e459 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] Could not find domain: wegnet. 2017-06-26 22:03:17.303 533 INFO keystone.common.wsgi [req-9d9ba15b-1eae-4da7-88c5-222db59f39b4 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/domains?name=wegnet 2017-06-26 22:03:17.415 532 INFO keystone.common.wsgi [req-fa45fef2-1fb5-440d-a4c7-453ccaaafbab 65215625867b4ac7af49d46c0da4555d 87988ba74ad5468895c7c3c26e03a6a7 - default default] GET http://dcprd052113:35357/v3/users?domain_id=a1b7a20a645b4f869eaaf17723363a69*

========================================

here is my /etc/keystone/domains/keystone.wegnet.conf file:

=======================================

[ldap]
url                  = ldap://brjgs109.weg.net
user                  = "CN=sys-openstack,OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net"
password                 = <user sys-openstack password - strong one>
suffix                   = DC=weg,DC=net
user_tree_dn             = "OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net"
user_objectclass         = IntOrgPerson
user_filter                  = (memberof="CN=GL_OpenStack,OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net")
user_id_attribute        = cn
user_name_attribute      = sn
user_mail_attribute      = mail
user_pass_attribute      = userPassword
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    =
user_allow_create        = False
user_allow_update        = False
user_allow_delete        = False
group_objectclass        = groupOfNames
group_tree_dn            = "OU=OPENSTACK,OU=EDSONH,OU=EQUIPE_TECNOLOGIA,OU=AREA DE TESTES,DC=weg,DC=net"
group_filter             = (CN=GL_OpenStack)
group_id_attribute       = cn
group_name_attribute     = ou
group_member_attribute   = member
group_desc_attribute     =
group_project_id_attribute =
group_desc_attribute     = description
group_allow_create       = False
group_allow_update       = False
group_allow_delete       = False
use_tls                  = true
tls_cacertfile          = /etc/ssl/certs/brjgs109-ca-x509.crt  ##I generate this as the redhat link instructe me..
tls_req_cert            = allow
query_scope              = sub
chase_referrals          =
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60
page_size = 0
alias_dereferencing = default

[identity]
driver = keystone.identity.backends.ldap.Identity

===============================

here is what I've changed into the /etc/keystone/keystone.conf:

[identity]
domain_specific_drivers_enabled = true
domain_configurations_from_database = true
domain_config_dir = /etc/keystone/domains

[assignment]
driver = sql

[catalog]
driver = sql

======================

Could someone help me on this?