yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1281216] [NEW] Keystone Havana Authentication Error using samAccountName in Active Directory

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Seltzer <seltzerb01@xxxxxxxxx>
Date: Mon, 17 Feb 2014 18:02:43 -0000
Reply-to: Bug 1281216 <1281216@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When using Active Directory as the LDAP backend for Keystone, if I use
the cn attribute for user_id_attribute and user_name_attribute,
authentication works fine.  However, if I try to use samAccountName,
authentication fails.  For example, keystone user-list returns the
following error:

Authorization Failed: An unexpected error prevented the server from
fulfilling your request. 'name' (HTTP 500)

and the login screen in Horizon shows: An error occurred authenticating.
Please try again later.

Also, the following trace is shown in the keystone.log:

2014-02-17 06:48:37.472 8207 ERROR keystone.common.wsgi [-] 'name'
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     result = method(context, **params)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 127, in authenticate
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 44, in _wrapper
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 362, in issue_v2_token
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     token_ref, roles_ref, catalog_ref)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 57, in format_token
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     'name': user_ref['name'],
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi KeyError: 'name'
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi 
2014-02-17 06:48:37.474 8207 INFO access [-] 192.168.1.128 - - [17/Feb/2014:11:48:37 +0000] "POST http://192.168.1.128:35357/v2.0/tokens HTTP/1.0" 500 150

It appears that the user_ref has no 'name' property when I try to use
samAccountName.  This seems to have worked in Grizzly but does not work
in Havana.  Below are the applicable lines from the keystone.conf:

[ldap]
query_scope = sub
url = LDAP://192.168.1.253
user = CN=ldapuser,CN=Users,DC=mydomain,DC=net
password = ldapuserpassword
suffix = DC=mydomain,DC=net
use_dumb_member = True
dumb_member = CN=ldapuser,CN=Users,DC=mydomain,DC=net

user_tree_dn = CN=Users,DC=mydomain,DC=net
user_objectclass = organizationalPerson
user_id_attribute = samAccountName
user_name_attribute = samAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_tree_dn = OU=Projects,OU=OpenStack,DC=mydomain,DC=net
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = OU=Roles,OU=OpenStack,DC=mydomain,DC=net
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True

Again, if I change the user_id_attribute and the user_name_attribute to
cn then everything works fine.  Please advise.  Thanks!

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: active directory

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1281216

Title:
  Keystone Havana Authentication Error using samAccountName in Active
  Directory

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using Active Directory as the LDAP backend for Keystone, if I use
  the cn attribute for user_id_attribute and user_name_attribute,
  authentication works fine.  However, if I try to use samAccountName,
  authentication fails.  For example, keystone user-list returns the
  following error:

  Authorization Failed: An unexpected error prevented the server from
  fulfilling your request. 'name' (HTTP 500)

  and the login screen in Horizon shows: An error occurred
  authenticating. Please try again later.

  Also, the following trace is shown in the keystone.log:

  2014-02-17 06:48:37.472 8207 ERROR keystone.common.wsgi [-] 'name'
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 127, in authenticate
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 44, in _wrapper
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 362, in issue_v2_token
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     token_ref, roles_ref, catalog_ref)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 57, in format_token
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     'name': user_ref['name'],
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi KeyError: 'name'
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi 
  2014-02-17 06:48:37.474 8207 INFO access [-] 192.168.1.128 - - [17/Feb/2014:11:48:37 +0000] "POST http://192.168.1.128:35357/v2.0/tokens HTTP/1.0" 500 150

  It appears that the user_ref has no 'name' property when I try to use
  samAccountName.  This seems to have worked in Grizzly but does not
  work in Havana.  Below are the applicable lines from the
  keystone.conf:

  [ldap]
  query_scope = sub
  url = LDAP://192.168.1.253
  user = CN=ldapuser,CN=Users,DC=mydomain,DC=net
  password = ldapuserpassword
  suffix = DC=mydomain,DC=net
  use_dumb_member = True
  dumb_member = CN=ldapuser,CN=Users,DC=mydomain,DC=net

  user_tree_dn = CN=Users,DC=mydomain,DC=net
  user_objectclass = organizationalPerson
  user_id_attribute = samAccountName
  user_name_attribute = samAccountName
  user_mail_attribute = mail
  user_enabled_attribute = userAccountControl
  user_enabled_mask = 2
  user_enabled_default = 512
  user_attribute_ignore = password,tenant_id,tenants
  user_allow_create = False
  user_allow_update = False
  user_allow_delete = False

  tenant_tree_dn = OU=Projects,OU=OpenStack,DC=mydomain,DC=net
  tenant_objectclass = organizationalUnit
  tenant_id_attribute = ou
  tenant_member_attribute = member
  tenant_name_attribute = ou
  tenant_desc_attribute = description
  tenant_enabled_attribute = extensionName
  tenant_attribute_ignore = description,businessCategory,extensionName
  tenant_allow_create = True
  tenant_allow_update = True
  tenant_allow_delete = True

  role_tree_dn = OU=Roles,OU=OpenStack,DC=mydomain,DC=net
  role_objectclass = organizationalRole
  role_id_attribute = cn
  role_name_attribute = cn
  role_member_attribute = roleOccupant
  role_allow_create = True
  role_allow_update = True
  role_allow_delete = True

  Again, if I change the user_id_attribute and the user_name_attribute
  to cn then everything works fine.  Please advise.  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1281216/+subscriptions

Follow ups

[Bug 1281216] Re: Keystone Havana Authentication Error using samAccountName in Active Directory
From: Thierry Carrez, 2014-06-11
[Bug 1281216] Re: Keystone Havana Authentication Error using samAccountName in Active Directory
From: Alan Pevec, 2014-06-05
[Bug 1281216] Re: Keystone Havana Authentication Error using samAccountName in Active Directory
From: Alan Pevec, 2014-04-27
[Bug 1281216] [NEW] Keystone Havana Authentication Error using samAccountName in Active Directory
From: Brian Seltzer, 2014-02-17

References

[Bug 1281216] [NEW] Keystone Havana Authentication Error using samAccountName in Active Directory
From: Brian Seltzer, 2014-02-17