| Thread Previous • Date Previous • Date Next • Thread Next |
Public bug reported:
When I was first setting up a connection to LDAP via keystone I fought
through some configuration issues. One of the first issues is that I had
user_name_attribute incorrect so that it could not validate my specified
user on a a request like "keystone user-list". Unfortunately when the
failure scenario here happens, you get no useful logging, even with
Debug and Verbose enabled. The only message available is:
2014-01-30 21:41:45.461 9499 WARNING keystone.common.wsgi [-]
Authorization failed. Could not find user, foo. from 10.33.0.17
and from the CLI:
root@test-03:~# keystone user-list
Could not find user, foo. (HTTP 401)
It's not even obvious from this that LDAP was used at all much less what the issue might be. I ended up adding my own logging and
once I dumped the query that get_by_name ends up calling the issue was obvious:
(&(cn=foo)(objectClass=inetUser))
Since in my case cn was incorrect.
I've been digging some to see if I can add logging here without logging
every query call without too much success, although I've not had a ton
of time. If someone has a suggestion I'd be happy to work on it.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1274715
Title:
dearth of debug logs when LDAP user_name_attribute is incorrect
Status in OpenStack Identity (Keystone):
New
Bug description:
When I was first setting up a connection to LDAP via keystone I fought
through some configuration issues. One of the first issues is that I
had user_name_attribute incorrect so that it could not validate my
specified user on a a request like "keystone user-list". Unfortunately
when the failure scenario here happens, you get no useful logging,
even with Debug and Verbose enabled. The only message available is:
2014-01-30 21:41:45.461 9499 WARNING keystone.common.wsgi [-]
Authorization failed. Could not find user, foo. from 10.33.0.17
and from the CLI:
root@test-03:~# keystone user-list
Could not find user, foo. (HTTP 401)
It's not even obvious from this that LDAP was used at all much less what the issue might be. I ended up adding my own logging and
once I dumped the query that get_by_name ends up calling the issue was obvious:
(&(cn=foo)(objectClass=inetUser))
Since in my case cn was incorrect.
I've been digging some to see if I can add logging here without
logging every query call without too much success, although I've not
had a ton of time. If someone has a suggestion I'd be happy to work on
it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1274715/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
