yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1168726] Re: default_domain_id breaks the ability to map keystone to ldap

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Gandelman <1168726@xxxxxxxxxxxxxxxxxx>
Date: Thu, 06 Jun 2013 18:50:33 -0000
Reply-to: Bug 1168726 <1168726@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/grizzly
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1168726

Title:
  default_domain_id breaks the ability to map keystone  to ldap

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone grizzly series:
  Fix Released

Bug description:
  After installing grizzly successfully with devstack with LDAP backend,
  when user try to log in via Horizon dashboard authentication is denied
  with the following error in the screen-horizon.log:

  [Fri Apr 12 14:40:31 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
  [Fri Apr 12 14:40:31 2013] [error] DEBUG:openstack_auth.backend:Authorization Failed: [Errno 111] Connection refused
  [Fri Apr 12 14:40:46 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
  [Fri Apr 12 14:40:46 2013] [error] DEBUG:openstack_auth.backend:Authorization Failed: [Errno 111] Connection refused
  [Fri Apr 12 14:49:45 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
  [Fri Apr 12 14:49:45 2013] [error] DEBUG:openstack_auth.backend:Authorization Failed: Unable to communicate with identity service: {"error": {"message": "Could not find domain: default", "code": 404, "title": "Not Found"}}. (HTTP 404)

  The failure is due to the fact that no 'default' domain was created in the LDAP tree something keystone was looking for. The long term solution may be not to expect 'default' domain in the LDAP tree in keystone or create one automatically (which could be a problem in read-only LDAP environment though), which seems like sql backend is doing. 
  The quick solution is to create 'default' domain specific entry in the LDAP tree when user select the option to install LDAP with KEYSTONE_IDENTITY_BACKEND=ldap option. As an workaround to users with existing LDAP, they may need to create 'default' domain specific entry manually for now. 

  
  I have opened a similar bug for devstack here - https://bugs.launchpad.net/devstack/+bug/1168724

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1168726/+subscriptions