Ask Your Question

iloveopenstack's profile - activity

2019-02-28 02:14:33 -0500 received badge  Popular Question (source)
2019-02-27 03:13:29 -0500 received badge  Notable Question (source)
2019-02-27 03:13:29 -0500 received badge  Popular Question (source)
2018-12-26 05:27:21 -0500 received badge  Enthusiast
2018-12-14 07:30:36 -0500 asked a question keystone problem

Hi

I am totally do not understand how to working integration between Identity Back-end an external LDAP.

  1. I have created fresh OS and install RDO from packstask use this article https://www.techsupportpk.com/2016/12/installing-openstack-on-multi-node-in-linux.html (link text)

  2. Use Centos 7

    Linux version 3.10.0-957.1.3.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36)

In my environment two test servers: controller2-tst - controller

vs-c06-ad-tst.test.local - Active directory win28k domain controller

  1. my keystone admin.sh config is below

    unset OS_SERVICE_TOKEN export OS_USERNAME=admin export OS_PASSWORD='7dabafe103fb4b35' export OS_AUTH_URL=http://172.31.191.100:5000/v3 export PS1='[\u@\h \W(keystone_admin)]\$ '

    export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_IDENTITY_API_VERSION=3

  2. Use doc article try to configure relations between Default domain and LDAP Domain - [link text] (https://docs.openstack.org/keystone/latest/admin/integrate-with-ldap.html#identity-ldap-server-setup (https://docs.openstack.org/keystone/l...))

in my keystone.conf i am added only

[identity]
driver = ldap
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

created /etc/keystone/domains/keystone.TEST.conf and add

[ldap]
url = ldap://vs-c06-ad-tst.test.local
user = CN=adminAD,CN=Users,DC=test,DC=local
password = Qwerty123
suffix = DC=test,DC=local
user_tree_dn = DC=test,DC=local
user_objectclass = inetOrgPerson

#group_tree_dn = OU=Groups,DC=test,DC=local
#group_objectclass = groupOfNames
  1. Created TEST domain and see local users for example

openstack user list

| 9f268f32a2124c9eaf9d16286c0c1098 | nova      |
| a5b7ccbb91df442fbefc17a717fb0727 | admin     |
| a7c2cdc895ef4d2bb1c72555d44b1c75 | placement |
| ab9647db53b34e97b384edb8e2350f3b | glance    |
| db47ff496e6a40a282ba437f6e9dad5b | neutron   |
+----------------------------------+-----------+
 openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+
  1. can logon via http into

http://172.31.191.100:5000/v3

status  "stable"
updated "2018-02-28T00:00:00Z"
media-types 
0   
base    "application/json"
type    "application/vnd.openstack.identity-v3+json"
id  "v3.10"
links   
0   
href    "http://172.31.191.100:5000/v3/"
rel "self"

BUT after restart httpd a see errors

2018-12-14 13:19:03.700 27829 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal.  Its value may be silently ignored in the future.
2018-12-14 13:19:03.783 27829 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0
2018-12-14 13:19:28.700 21770 INFO keystone.common.wsgi [req-632ad35e-081f-46bf-9a65-165f38649dcf - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens
2018-12-14 13:19:29.660 21770 ERROR keystone.common.wsgi [req-632ad35e-081f-46bf-9a65-165f38649dcf - - - - -] {'desc': "Can't contact LDAP server"}: BackendError: {'desc': "Can't contact LDAP server"}


 openstack user list --domain TEST
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-78cb6dbe-0db7-4e7b-a4e9-10adb9d4c960)

IT`s strange because my domain controller available and it open 389 port

ldapsearch -W -x -D CN=adminAD,CN=Users,DC=test,DC=local -b "DC=test,DC=local" -h vs-c06-ad-tst.test.local "(cn=adminAD)"

# extended LDIF
#
# LDAPv3
# base <DC=test,DC=local> with scope subtree
# filter: (cn=adminAD)
# requesting: ALL
#

# adminAD, Users, test.local
dn: CN=adminAD,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: adminAD
givenName: adminAD
distinguishedName: CN=adminAD,CN=Users,DC=test,DC ...
(more)
2018-12-13 15:57:42 -0500 answered a question active directory 2008 and keystone integration

Thanks for replay

I changed keystone conf - /etc/keystone/keystone.conf and remove /etc/keystone/domains/keystone.TEST.conf because we need only one Active directory domain integration.

keystone.conf --- settings

  [ldap]

url = ldap://vs-c06-ad-tst.test.local user = CN=adminAD,CN=Users,DC=test,DC=local password = Qwerty123 suffix = DC=test,DC=local

 user_tree_dn =
   ou=Users,DC=test,DC=local
   user_objectclass = inetOrgPerson

   group_tree_dn =
   ou=Groups,DC=test,DC=local
   group_objectclass = groupOfNames
   user_objectclass = person 
user_filter   = (memberof=CN=grp-openstack,OU=Users,DC=test,DC=local)
 group_filter =

 - [identity] 
driver = ldap

nova.conf

[keystone_authtoken]
auth_version = v3

When testing openstack user list --domain TEST

- Missing value auth-url required for auth plugin password

Into keystone log

2018-12-13 17:52:39.226 13346 INFO keystone.common.wsgi [req-673053b0-2dda-45eb-8f4e-8cfe4e8040b7 - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens
2018-12-13 17:52:39.406 13346 WARNING keystone.auth.plugins.core [req-673053b0-2dda-45eb-8f4e-8cfe4e8040b7 - - - - -] Could not find user: placement.: UserNotFound: Could not find user: placement.
2018-12-13 17:52:39.407 13346 WARNING keystone.common.wsgi [req-673053b0-2dda-45eb-8f4e-8cfe4e8040b7 - - - - -] Authorization failed. The request you have made requires authentication. from 172.31.191.100: $
2018-12-13 17:53:03.396 16408 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal.  Its value may be silently ignored in the future.
2018-12-13 17:53:03.450 16408 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0
2018-12-13 08:59:57 -0500 received badge  Editor (source)
2018-12-13 03:43:14 -0500 asked a question active directory 2008 and keystone integration

Hi all I am installed Openstack RDO in my lab as packstack and testing integration with active directory server. My test stand description: controller2-tst - IP x.x.x.x
vs-c06-ad-tst.test.local - IP x.x.x.x, Active directory Win28k server

Used article to configure keystone - https://www.ibm.com/developerworks/cloud/library/cl-configure-keystone-ldap-and-active-directory/index.html (https://www.ibm.com/developerworks/cl...)

But integration isn`t working. In keystone log i am see errors:

  • An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7)

    2018-12-13 11:57:03.253 11750 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future. 2018-12-13 11:57:03.349 11750 INFO keystone.token.persistence.backends.sql [-] Total expired tokens removed: 0 2018-12-13 11:57:20.550 11779 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future. 2018-12-13 11:57:20.881 11779 INFO keystone.common.wsgi [req-675018fd-1ddd-4b82-ac3f-c75fc36aa964 - - - - -] GET http://172.31.191.100:5000/v3/ 2018-12-13 11:57:22.961 11781 WARNING oslo_config.cfg [-] Option "driver" from group "token" is deprecated for removal. Its value may be silently ignored in the future. 2018-12-13 11:57:23.309 11781 INFO keystone.common.wsgi [req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7 - - - - -] POST http://172.31.191.100:5000/v3/auth/tokens (http://172.31.191.100:5000/v3/auth/to...) 2018-12-13 11:57:23.463 11781 WARNING stevedore.named [req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7 - - - - -] Could not load keystone.identity.backends.ldap.Identity 2018-12-13 11:57:23.464 11781 ERROR keystone.common.wsgi [req-7c417195-fb14-4f1b-9f26-d1cdc05ff7f7 - - - - -] (u'Unable to find %(name)r driver in %(namespace)r.', {'namespace': 'keystone.identity', 'name': 'keystone.identity.backends.ldap.Identity'}): ImportError: (u'Unable to find %(name)r driver in %(namespace)r.', {'namespace': 'keystone.identity', 'name': 'keystone.identity.backends.ldap.Identity'}) 2018-12-13 11:57:23.464 11781 ERROR keystone.common.wsgi Traceback (most recent call last):

My keystone configs is below keystone.conf [identity] domain_specific_drivers_enabled=true domain_config_dir=/etc/keystone/domains

/etc/keystone/domains/keystone.TEST.conf [ldap] url = ldap://vs-c06-ad-tst.test.local user = cn=adminAD,dc=test,dc=local password = Qwerty123 suffix = dc=test,dc=local group_tree_dn = ou=UserGroups,dc=test,dc=local user_tree_dn = ou=Users,dc=test,dc=local user_mail_attribute = mail

[identity] driver = keystone.identity.backends.ldap.Identity

etc/openstack-dashboard/local_settings OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'

I am still able to open http://controller2-tst:5000/v3 link but i am can`t logon into horizon dashboard as Active directory user. I had trying to change drivers between keystone.identity.backends.ldap.Identity and keystone.identity.backends.sql.Identity still no changes.