This is on icehouse.
o Trying to get /var/log/keystone/keystone.log (permissons are to root)
to work but not successful.
o SQL works on this single node for keystone.
Error:
An error occurred authenticating. Please try again later.
================
See keystone.conf
below:
[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/
########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################
[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False
user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson
tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames
role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole
user_objectclass = person
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works
[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/
#
# Options defined in keystone
#
# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN
# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0
# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774
# The port number which the admin service listens on. (integer
# value)
#admin_port=35357
# The port number which the public service listens on.
# (integer value)
#public_port=5000
# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/
# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/
# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688
# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64
# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_
# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000
# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false
# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600
# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#
# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false
# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false
# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30
# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions
# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672
# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port
# Username for Qpid connection. (string value)
#qpid_username=
# Password for Qpid connection. (string value)
#qpid_password=
# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=
# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60
# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp
# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true
# The qpid topology version to use. Version 1 is what was
# originally used by impl_qpid. Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work. Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1
# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=
# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=
# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0
# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost
# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672
# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false
# The RabbitMQ userid. (string value)
#rabbit_userid=guest
# The RabbitMQ password. (string value)
#
###### remaining as from github
#
=======================
16jun14
Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later." from the dashboard. This is a one node controller system and horizon.
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================
19jun14
BTW: This is devstack.
What creds do I need to get the keystone user-list to work?
This way I can find out the ldap roles for auth.
I tried some cred examples from the icehouse install.
stack@pve01:~$ cat creds
unset OS_USERNAME
unset OS_PASSWORD
unset OS_TENANT_NAME
export OS_TENANT_PASSWORD
unset OS_AUTH_URL
export OS_USERNAME=admin
export OS_PASSWORD=xxxxxxx
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0
==============
getting this from the keystone user-list
Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens
===============
stack@:~$ sudo nmap -PO hostname
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 14:27 EDT
Nmap scan report for hostname (127.0.0.1)
Host is up (0.000080s latency).
Other addresses for hostname (not scanned): n.n.n.n
rDNS record for 127.0.0.1: localhost
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
3333/tcp open dec-notes
5000/tcp open upnp
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
stack@:~$
===============
Any/all help appreciated.
22jun14
Found the setting on openrc of devstack for
the obtaining of the keystone log.
export KEYSTONECLIENT_DEBUG=1
export NOVACLIENT_DEBUG=1
from
http://devstack.org/openrc.html
returning when I find more
22jun14
set
export KEYSTONECLIENT_DEBUG=1
export NOVACLIENT_DEBUG=1
o rebuilt devstack
touch /var/log/keystone/keystone
o log still not showing content
02jul14
posting a solution
this worked placing a
project/userid in the local sql
and accessing the LDAP server
(Active Directory) for user
level authentication. The OU is
fixed, ie:hardcoded, that is the
discovered caveat.
hybrid SQL and LDAP backends for OpenStack Keystone
For havana release but upgraded to idehouseicehouse
https://github.com/SUSE-Cloud/keystone-hybrid-backendhttps://github.com/matthewfischer/keystone-hybrid-backend/tree/icehouse-packaging