This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================

=======================

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================

=======================

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

16jun14

Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and  our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later."  from the dashboard. This is a one node controller system and horizon. 
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

16jun14

Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and  our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later."  from the dashboard. This is a one node controller system and horizon. 
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

16jun14

Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and  our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later."  from the dashboard. This is a one node controller system and horizon. 
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================

19jun14

BTW: This is devstack.

What creds do I need to get the keystone user-list to work? This way I can find out the ldap roles for auth.

I tried some cred examples from the icehouse install.

stack@pve01:~$ cat creds unset OS_USERNAME unset OS_PASSWORD unset OS_TENANT_NAME export OS_TENANT_PASSWORD unset OS_AUTH_URL

export OS_USERNAME=admin export OS_PASSWORD=xxxxxxx export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0

============== getting this from the keystone user-list

Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

=============== stack@:~$ sudo nmap -PO hostname

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 14:27 EDT Nmap scan report for hostname (127.0.0.1) Host is up (0.000080s latency). Other addresses for hostname (not scanned): n.n.n.n rDNS record for 127.0.0.1: localhost Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 3333/tcp open dec-notes 5000/tcp open upnp 8000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds stack@:~$

=============== ===============

Any/all help appreciated.

22jun14

Found the setting on openrc of devstack for the obtaining of the keystone log.

export KEYSTONECLIENT_DEBUG=1

export NOVACLIENT_DEBUG=1

from

http://devstack.org/openrc.html

returning when I find more

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

16jun14

Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and  our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later."  from the dashboard. This is a one node controller system and horizon. 
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================

19jun14

BTW: This is devstack.

What creds do I need to get the keystone user-list to work? This way I can find out the ldap roles for auth.

I tried some cred examples from the icehouse install.

stack@pve01:~$ cat creds unset OS_USERNAME unset OS_PASSWORD unset OS_TENANT_NAME export OS_TENANT_PASSWORD unset OS_AUTH_URL

export OS_USERNAME=admin export OS_PASSWORD=xxxxxxx export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0

============== getting this from the keystone user-list

Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

=============== stack@:~$ sudo nmap -PO hostname

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 14:27 EDT Nmap scan report for hostname (127.0.0.1) Host is up (0.000080s latency). Other addresses for hostname (not scanned): n.n.n.n rDNS record for 127.0.0.1: localhost Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 3333/tcp open dec-notes 5000/tcp open upnp 8000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds stack@:~$

===============

Any/all help appreciated.

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

16jun14

Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and  our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later."  from the dashboard. This is a one node controller system and horizon. 
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================

19jun14

BTW: This is devstack.

What creds do I need to get the keystone user-list to work? This way I can find out the ldap roles for auth.

I tried some cred examples from the icehouse install.

stack@pve01:~$ cat creds unset OS_USERNAME unset OS_PASSWORD unset OS_TENANT_NAME export OS_TENANT_PASSWORD unset OS_AUTH_URL

export OS_USERNAME=admin export OS_PASSWORD=xxxxxxx export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0

============== getting this from the keystone user-list

Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

=============== stack@:~$ sudo nmap -PO hostname

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 14:27 EDT Nmap scan report for hostname (127.0.0.1) Host is up (0.000080s latency). Other addresses for hostname (not scanned): n.n.n.n rDNS record for 127.0.0.1: localhost Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 3333/tcp open dec-notes 5000/tcp open upnp 8000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds stack@:~$

===============

Any/all help appreciated.

22jun14

Found the setting on openrc of devstack for the obtaining of the keystone log.

export KEYSTONECLIENT_DEBUG=1

export NOVACLIENT_DEBUG=1

from

http://devstack.org/openrc.html

returning when I find more

22jun14

set export KEYSTONECLIENT_DEBUG=1 export NOVACLIENT_DEBUG=1

o rebuilt devstack

touch /var/log/keystone/keystone

o log still not showing content

This is on icehouse.

o Trying to get /var/log/keystone/keystone.log (permissons are to root) to work but not successful.

o SQL works on this single node for keystone.

Error: An error occurred authenticating. Please try again later.

================ See keystone.conf below:

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

########################################################
log_file = /var/log/keystone/keystone.log
debug = True
verbose = True
########################################################


[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[ldap]
url=ldap://mycorporateserver.xxx:port_number
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

user_objectclass = person

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =


user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512
# everything else in keystone.conf was as pulled from github.
===============================
Original keystone.conf that works

[DEFAULT]
admin_token = admin_pass
admin_bind_host = x.x.x.x
admin_endpoint = http://x.x.x.x:%(admin_port)s/
public_endpoint = http://x.x.x.x:%(public_port)s/

#
# Options defined in keystone
#

# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
#admin_token=ADMIN

# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0

# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774

# The port number which the admin service listens on. (integer
# value)
#admin_port=35357

# The port number which the public service listens on.
# (integer value)
#public_port=5000

# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/

# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/

# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688

# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64

# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000

# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false

# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#
# Options defined in oslo.messaging
#

# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false

# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30

# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672

# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port

# Username for Qpid connection. (string value)
#qpid_username=

# Password for Qpid connection. (string value)
#qpid_password=

# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=

# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60

# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp

# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true

# The qpid topology version to use.  Version 1 is what was
# originally used by impl_qpid.  Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work.  Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=

# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=

# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
#kombu_ssl_certfile=

# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=

# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0

# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost

# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672

# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port

# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false

# The RabbitMQ userid. (string value)
#rabbit_userid=guest

# The RabbitMQ password. (string value)
# 
###### remaining as from github
#
=======================

16jun14

Thank you for the informative replies. I have seen that configuration of keystone is capable of extending to ldap and even ActiveDirectory. The "identity" driver change along with "assignment" to keystone backing store gives the same error. I have not found a functional configuration. Using the documentation from http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html and  our global catalog, ldap://gc.ad.uky.edu , I tried the configuration change from the admin-guide documentation but received the error: "An error occurred authenticating. Please try again later."  from the dashboard. This is a one node controller system and horizon. 
Continuing to try more iterations fo the configuration. I will post status and answer (if achieved).
=================================

19jun14

BTW: This is devstack.

What creds do I need to get the keystone user-list to work? This way I can find out the ldap roles for auth.

I tried some cred examples from the icehouse install.

stack@pve01:~$ cat creds unset OS_USERNAME unset OS_PASSWORD unset OS_TENANT_NAME export OS_TENANT_PASSWORD unset OS_AUTH_URL

export OS_USERNAME=admin export OS_PASSWORD=xxxxxxx export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0

============== getting this from the keystone user-list

Authorization Failed: Unable to establish connection to http://controller:35357/v2.0/tokens

=============== stack@:~$ sudo nmap -PO hostname

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-19 14:27 EDT Nmap scan report for hostname (127.0.0.1) Host is up (0.000080s latency). Other addresses for hostname (not scanned): n.n.n.n rDNS record for 127.0.0.1: localhost Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 3333/tcp open dec-notes 5000/tcp open upnp 8000/tcp open http-alt

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds stack@:~$

===============

Any/all help appreciated.

22jun14

Found the setting on openrc of devstack for the obtaining of the keystone log.

export KEYSTONECLIENT_DEBUG=1

export NOVACLIENT_DEBUG=1

from

http://devstack.org/openrc.html

returning when I find more

22jun14

set export KEYSTONECLIENT_DEBUG=1 export NOVACLIENT_DEBUG=1

o rebuilt devstack

touch /var/log/keystone/keystone

o log still not showing content

02jul14

posting a solution this worked placing a project/userid in the local sql and accessing the LDAP server (Active Directory) for user level authentication. The OU is fixed, ie:hardcoded, that is the discovered caveat.

hybrid SQL and LDAP backends for OpenStack Keystone For havana release but upgraded to idehouseicehouse

https://github.com/SUSE-Cloud/keystone-hybrid-backendhttps://github.com/matthewfischer/keystone-hybrid-backend/tree/icehouse-packaging