openstack team mailing list archive

Thread
Date
Re: How to configure Keystone with open LDAP + horizon on grizzly

To: openstack@xxxxxxxxxxxxxxxxxxx
From: yasith tharindu <yasithucsc@xxxxxxxxx>
Date: Wed, 29 May 2013 20:18:02 +0530
In-reply-to: <CAMpRDc7jQxOP=ET4MzkH_-Bs1gF8fjKqqHWE_4fRYOjj=B2QFg@mail.gmail.com>
Now my authentication phase is right through ldap i guess. But Im getting a
error when try to login saying "You are not authorized for any projects."


My ldap configurations have been used by the keystone it seems. keystone
command gives following results.


root@ubuntu:/home/wso2/ldap#* keystone user-list*
WARNING: Bypassing authentication using a token & endpoint (authentication
credentials are being ignored).
+------+------+---------+------------------+
|  id  | name | enabled |      email       |
+------+------+---------+------------------+
| demo | demo |   True  | demo@xxxxxxxxxxx |
+------+------+---------+------------------+
root@ubuntu:/home/wso2/ldap# *keystone role-list*
WARNING: Bypassing authentication using a token & endpoint (authentication
credentials are being ignored).
+-------+-------+
|   id  |  name |
+-------+-------+
| admin | Admin |
+-------+-------+
root@ubuntu:/home/wso2/ldap# *keystone tenant-list*
WARNING: Bypassing authentication using a token & endpoint (authentication
credentials are being ignored).
+-------+-------+---------+
|   id  |  name | enabled |
+-------+-------+---------+
| admin | admin |   True  |
+-------+-------+---------+




But with nova commands  return a error with the ldap user credentials.

#* nova image-list*
ERROR: Invalid OpenStack Nova credentials.


System variables I used as follows.

export OS_USERNAME=demo
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://192.168.1.111:5000/v2.0/
export OS_REGION_NAME=RegionOne
export SERVICE_ENDPOINT="http://192.168.1.111:35357/v2.0";
export SERVICE_TOKEN=012345SECRET99TOKEN012345
export OS_NO_CACHE=1




Following is the keystone log..

2013-05-29 02:45:20    DEBUG [keystone.common.ldap.core] LDAP search:
dn=ou=Tenants,dc=example,dc=com, scope=2,
query=(&(objectClass=organizationalRole)(roleOccupant=cn=demo,ou=Users,dc=example,dc=com)),
attrs=None
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ********************
RESPONSE HEADERS ********************
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Type =
application/json
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Length = 36
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi]
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ********************
RESPONSE BODY ********************
2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] {"tenants_links": [],
"tenants": []}
2013-05-29 02:45:20     INFO [access] 127.0.0.1 - - [28/May/2013:21:15:20
+0000] "GET http://127.0.0.1:5000/v2.0/tenants HTTP/1.0" 200 36
2013-05-29 02:45:20    DEBUG [eventlet.wsgi.server] 127.0.0.1 - -
[29/May/2013 02:45:20] "GET /v2.0/tenants HTTP/1.1" 200 164 0.028584



And tenant config of keystone as follows;

tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_member_attribute = member
tenant_name_attribute = cn
tenant_domain_id_attribute = businessCategory
tenant_enabled_attribute = o
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
tenant_desc_attribute = description



*Any one have any suggestions??*  It seems no tanents according to the log
"DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []} "
But i have enabled the user in the Tenant ldap group.

dn: cn=admin,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
cn: admin
o: True
businessCategory: default
description: Openstack admin Tenant
member: cn=demo,ou=Users,dc=example,dc=com

Thanks in advance..:)


On Mon, May 20, 2013 at 11:24 AM, yasith tharindu <yasithucsc@xxxxxxxxx>wrote:

> The question is posted on openstack ask page.
> https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/
>
> Error
>
> 2013-05-19 15:21:23    ERROR [root] 'domain_id'
> Traceback (most recent call last):
>   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__
>     result = method(context, **params)
>   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 82, in authenticate
>     core.validate_auth_info(self, context, user_ref, tenant_ref)
>   File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 84, in validate_auth_info
>     user_ref['domain_id'])
> KeyError: 'domain_id'
>
> 2013-05-19 15:21:23    DEBUG [keystone.common.wsgi] {"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'domain_id'", "code": 500, "title": "Internal Server Error"}}
>
> Keystone config
>
> ==========================================================================
> url = ldap://192.168.1.111
> user = cn=admin,dc=example,dc=com
> password = secret
> suffix = cn=example,cn=com
> use_dumb_member = False
> tree_dn = dc=example,dc=com
>
> user_tree_dn = ou=Users,dc=example,dc=com
> user_objectclass = inetOrgPerson
> user_id_attribute = cn
> user_name_attribute = sn
> user_pass_attribute = userPassword
> user_allow_create = True
> user_allow_update = True
> user_enabled_attribute = enabled
> user_enabled_default = True
> user_domain_id_attribute = None
>
> tenant_tree_dn = ou=Tenants,dc=example,dc=com
> tenant_objectclass = groupOfNames
> tenant_id_attribute = cn
> tenant_member_attribute = member
> tenant_name_attribute = ou
> tenant_domain_id_attribute = None
> tenant_allow_create = True
> tenant_allow_update = True
>
>
> role_tree_dn = ou=Roles,dc=example,dc=com
> role_objectclass = groupOfNames
> role_member_attribute = member
> role_id_attribute = cn
> role_name_attribute = ou
> role_allow_create = True
> role_allow_update = True
>
>
> ==============================================
>
> ldap config as follows.
>
> dn: dc=example,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: example Inc
> dc: example
>
>
> dn: cn=admin,dc=example,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword:: c2VjcmV0
>
>
>
> dn: ou=Users,dc=example,dc=com
> ou: users
> objectClass: organizationalUnit
> structuralObjectClass: organizationalUnit
>
>
> dn: ou=Roles,dc=example,dc=com
> ou: roles
> objectClass: organizationalUnit
> structuralObjectClass: organizationalUnit
>
>
> dn: ou=Tenants,dc=example,dc=com
> ou: tenants
> objectClass: organizationalUnit
>
>
>
> dn: cn=demo,ou=Users,dc=example,dc=com
> cn: demo
> displayName: demo
> givenName: demo
> mail: demo@xxxxxxxxxxx
> objectClass: inetOrgPerson
> objectClass: top
> sn: demo
> uid: demo
> userPassword:: c2VjcmV0
>
>
> dn: cn=admin,ou=Roles,dc=example,dc=com
> objectClass: groupOfNames
> cn: admin
> description: Openstack admin Role
> member: cn=demo,ou=Users,dc=example,dc=com
>
>
> dn: cn=admin,ou=Tenants,dc=example,dc=com
> objectClass: groupOfNames
> cn: admin
> description: Openstack admin Tenant
> member: cn=demo,ou=Users,dc=example,dc=com
>
> I would really appreciate your help
>
>


-- 
Thanks..
Regards...

Blog: http://www.yasith.info
Twitter : http://twitter.com/yasithnd
LinkedIn : http://www.linkedin.com/in/yasithnd
GPG Key ID : *57CEE66E*
Follow ups

Re: How to configure Keystone with open LDAP + horizon on grizzly
From: yasith tharindu, 2013-05-29
References

How to configure Keystone with open LDAP + horizon on grizzly
From: yasith tharindu, 2013-05-20