← Back to team overview

openstack team mailing list archive

Re: How to configure Keystone with open LDAP + horizon on grizzly

 

I have updated the ask page.

https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/


On Wed, May 29, 2013 at 8:18 PM, yasith tharindu <yasithucsc@xxxxxxxxx>wrote:

> Now my authentication phase is right through ldap i guess. But Im getting
> a error when try to login saying "You are not authorized for any
> projects."
>
>
> My ldap configurations have been used by the keystone it seems. keystone
> command gives following results.
>
>
> root@ubuntu:/home/wso2/ldap#* keystone user-list*
> WARNING: Bypassing authentication using a token & endpoint (authentication
> credentials are being ignored).
> +------+------+---------+------------------+
> |  id  | name | enabled |      email       |
> +------+------+---------+------------------+
> | demo | demo |   True  | demo@xxxxxxxxxxx |
> +------+------+---------+------------------+
> root@ubuntu:/home/wso2/ldap# *keystone role-list*
> WARNING: Bypassing authentication using a token & endpoint (authentication
> credentials are being ignored).
> +-------+-------+
> |   id  |  name |
> +-------+-------+
> | admin | Admin |
> +-------+-------+
> root@ubuntu:/home/wso2/ldap# *keystone tenant-list*
> WARNING: Bypassing authentication using a token & endpoint (authentication
> credentials are being ignored).
> +-------+-------+---------+
> |   id  |  name | enabled |
> +-------+-------+---------+
> | admin | admin |   True  |
> +-------+-------+---------+
>
>
>
>
> But with nova commands  return a error with the ldap user credentials.
>
> #* nova image-list*
> ERROR: Invalid OpenStack Nova credentials.
>
>
> System variables I used as follows.
>
> export OS_USERNAME=demo
> export OS_TENANT_NAME=admin
> export OS_PASSWORD=secret
> export OS_AUTH_URL=http://192.168.1.111:5000/v2.0/
> export OS_REGION_NAME=RegionOne
> export SERVICE_ENDPOINT="http://192.168.1.111:35357/v2.0";
> export SERVICE_TOKEN=012345SECRET99TOKEN012345
> export OS_NO_CACHE=1
>
>
>
>
> Following is the keystone log..
>
> 2013-05-29 02:45:20    DEBUG [keystone.common.ldap.core] LDAP search:
> dn=ou=Tenants,dc=example,dc=com, scope=2,
> query=(&(objectClass=organizationalRole)(roleOccupant=cn=demo,ou=Users,dc=example,dc=com)),
> attrs=None
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ********************
> RESPONSE HEADERS ********************
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Type =
> application/json
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Length = 36
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi]
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ********************
> RESPONSE BODY ********************
> 2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] {"tenants_links": [],
> "tenants": []}
> 2013-05-29 02:45:20     INFO [access] 127.0.0.1 - - [28/May/2013:21:15:20
> +0000] "GET http://127.0.0.1:5000/v2.0/tenants HTTP/1.0" 200 36
> 2013-05-29 02:45:20    DEBUG [eventlet.wsgi.server] 127.0.0.1 - -
> [29/May/2013 02:45:20] "GET /v2.0/tenants HTTP/1.1" 200 164 0.028584
>
>
>
> And tenant config of keystone as follows;
>
> tenant_tree_dn = ou=Tenants,dc=example,dc=com
> tenant_objectclass = groupOfNames
> tenant_id_attribute = cn
> tenant_member_attribute = member
> tenant_name_attribute = cn
> tenant_domain_id_attribute = businessCategory
> tenant_enabled_attribute = o
> tenant_allow_create = True
> tenant_allow_update = True
> tenant_allow_delete = True
> tenant_desc_attribute = description
>
>
>
> *Any one have any suggestions??*  It seems no tanents according to the
> log "DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []} "
> But i have enabled the user in the Tenant ldap group.
>
> dn: cn=admin,ou=Tenants,dc=example,dc=com
> objectClass: groupOfNames
> cn: admin
> o: True
> businessCategory: default
> description: Openstack admin Tenant
> member: cn=demo,ou=Users,dc=example,dc=com
>
> Thanks in advance..:)
>
>
> On Mon, May 20, 2013 at 11:24 AM, yasith tharindu <yasithucsc@xxxxxxxxx>wrote:
>
>> The question is posted on openstack ask page.
>> https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/
>>
>> Error
>>
>> 2013-05-19 15:21:23    ERROR [root] 'domain_id'
>> Traceback (most recent call last):
>>   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__
>>     result = method(context, **params)
>>   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 82, in authenticate
>>     core.validate_auth_info(self, context, user_ref, tenant_ref)
>>   File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 84, in validate_auth_info
>>     user_ref['domain_id'])
>> KeyError: 'domain_id'
>>
>> 2013-05-19 15:21:23    DEBUG [keystone.common.wsgi] {"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'domain_id'", "code": 500, "title": "Internal Server Error"}}
>>
>> Keystone config
>>
>> ==========================================================================
>> url = ldap://192.168.1.111
>> user = cn=admin,dc=example,dc=com
>> password = secret
>> suffix = cn=example,cn=com
>> use_dumb_member = False
>> tree_dn = dc=example,dc=com
>>
>> user_tree_dn = ou=Users,dc=example,dc=com
>> user_objectclass = inetOrgPerson
>> user_id_attribute = cn
>> user_name_attribute = sn
>> user_pass_attribute = userPassword
>> user_allow_create = True
>> user_allow_update = True
>> user_enabled_attribute = enabled
>> user_enabled_default = True
>> user_domain_id_attribute = None
>>
>> tenant_tree_dn = ou=Tenants,dc=example,dc=com
>> tenant_objectclass = groupOfNames
>> tenant_id_attribute = cn
>> tenant_member_attribute = member
>> tenant_name_attribute = ou
>> tenant_domain_id_attribute = None
>> tenant_allow_create = True
>> tenant_allow_update = True
>>
>>
>> role_tree_dn = ou=Roles,dc=example,dc=com
>> role_objectclass = groupOfNames
>> role_member_attribute = member
>> role_id_attribute = cn
>> role_name_attribute = ou
>> role_allow_create = True
>> role_allow_update = True
>>
>>
>> ==============================================
>>
>> ldap config as follows.
>>
>> dn: dc=example,dc=com
>> objectClass: top
>> objectClass: dcObject
>> objectClass: organization
>> o: example Inc
>> dc: example
>>
>>
>> dn: cn=admin,dc=example,dc=com
>> objectClass: simpleSecurityObject
>> objectClass: organizationalRole
>> cn: admin
>> description: LDAP administrator
>> userPassword:: c2VjcmV0
>>
>>
>>
>> dn: ou=Users,dc=example,dc=com
>> ou: users
>> objectClass: organizationalUnit
>> structuralObjectClass: organizationalUnit
>>
>>
>> dn: ou=Roles,dc=example,dc=com
>> ou: roles
>> objectClass: organizationalUnit
>> structuralObjectClass: organizationalUnit
>>
>>
>> dn: ou=Tenants,dc=example,dc=com
>> ou: tenants
>> objectClass: organizationalUnit
>>
>>
>>
>> dn: cn=demo,ou=Users,dc=example,dc=com
>> cn: demo
>> displayName: demo
>> givenName: demo
>> mail: demo@xxxxxxxxxxx
>> objectClass: inetOrgPerson
>> objectClass: top
>> sn: demo
>> uid: demo
>> userPassword:: c2VjcmV0
>>
>>
>> dn: cn=admin,ou=Roles,dc=example,dc=com
>> objectClass: groupOfNames
>> cn: admin
>> description: Openstack admin Role
>> member: cn=demo,ou=Users,dc=example,dc=com
>>
>>
>> dn: cn=admin,ou=Tenants,dc=example,dc=com
>> objectClass: groupOfNames
>> cn: admin
>> description: Openstack admin Tenant
>> member: cn=demo,ou=Users,dc=example,dc=com
>>
>> I would really appreciate your help
>>
>>
>
>
> --
> Thanks..
> Regards...
>
> Blog: http://www.yasith.info
> Twitter : http://twitter.com/yasithnd
> LinkedIn : http://www.linkedin.com/in/yasithnd
> GPG Key ID : *57CEE66E*
>



-- 
Thanks..
Regards...

Blog: http://www.yasith.info
Twitter : http://twitter.com/yasithnd
LinkedIn : http://www.linkedin.com/in/yasithnd
GPG Key ID : *57CEE66E*

References