yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #09161
[Bug 1274581] [NEW] keystone ldap identity backend will not work without TLS_CACERT path specified in an ldap.conf file
Public bug reported:
I'm on Ubuntu 12.04 using havana 2013.2.1. What I've found is that the
LDAP identity backend for keystone will not talk to my LDAP server
(using ldaps) unless I have an ldap.conf that contains a TLS_CACERT
line. This line duplicates the setting of tls_cacertfile in my keystone
conf and therefore I don't see why it should be required. The rest of my
/etc/ldap/ldap.conf file is default/commented out. When I don't have
this line set I get a SERVER_DOWN error. I am using LDAP from a FreeIPA
server if that matters.
Error message from the logs:
2014-01-30 16:24:17.168 21174 TRACE keystone.common.wsgi SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}
and from the CLI:
Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"} (HTTP 500)
Below are relevant sections of my configs:
/etc/ldap/ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
---------------------
keystone.conf:
[identity]
driver = keystone.identity.backends.ldap.Identity
...
[ldap]
url = ldaps://ldap.example.com:636
user = uid=mfischer,cn=users,cn=accounts,dc=example,dc=com
password = GoBroncos
...
use_tls = False
tls_cacertfile = /etc/ssl/certs/ca-certificates.crt
# tls_cacertdir =
tls_req_cert = demand
---------------------
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1274581
Title:
keystone ldap identity backend will not work without TLS_CACERT path
specified in an ldap.conf file
Status in OpenStack Identity (Keystone):
New
Bug description:
I'm on Ubuntu 12.04 using havana 2013.2.1. What I've found is that the
LDAP identity backend for keystone will not talk to my LDAP server
(using ldaps) unless I have an ldap.conf that contains a TLS_CACERT
line. This line duplicates the setting of tls_cacertfile in my
keystone conf and therefore I don't see why it should be required. The
rest of my /etc/ldap/ldap.conf file is default/commented out. When I
don't have this line set I get a SERVER_DOWN error. I am using LDAP
from a FreeIPA server if that matters.
Error message from the logs:
2014-01-30 16:24:17.168 21174 TRACE keystone.common.wsgi SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}
and from the CLI:
Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"} (HTTP 500)
Below are relevant sections of my configs:
/etc/ldap/ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
---------------------
keystone.conf:
[identity]
driver = keystone.identity.backends.ldap.Identity
...
[ldap]
url = ldaps://ldap.example.com:636
user = uid=mfischer,cn=users,cn=accounts,dc=example,dc=com
password = GoBroncos
...
use_tls = False
tls_cacertfile = /etc/ssl/certs/ca-certificates.crt
# tls_cacertdir =
tls_req_cert = demand
---------------------
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1274581/+subscriptions
Follow ups
References
