← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1281216] Re: Keystone Havana Authentication Error using samAccountName in Active Directory

 

** Also affects: keystone/icehouse
   Importance: Undecided
       Status: New

** Changed in: keystone/icehouse
       Status: New => In Progress

** Changed in: keystone/icehouse
   Importance: Undecided => Low

** Changed in: keystone/icehouse
     Assignee: (unassigned) => Nathan Kinder (nkinder)

** Tags removed: icehouse-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1281216

Title:
  Keystone Havana Authentication Error using samAccountName in Active
  Directory

Status in OpenStack Identity (Keystone):
  Fix Committed
Status in Keystone icehouse series:
  In Progress

Bug description:
  When using Active Directory as the LDAP backend for Keystone, if I use
  the cn attribute for user_id_attribute and user_name_attribute,
  authentication works fine.  However, if I try to use samAccountName,
  authentication fails.  For example, keystone user-list returns the
  following error:

  Authorization Failed: An unexpected error prevented the server from
  fulfilling your request. 'name' (HTTP 500)

  and the login screen in Horizon shows: An error occurred
  authenticating. Please try again later.

  Also, the following trace is shown in the keystone.log:

  2014-02-17 06:48:37.472 8207 ERROR keystone.common.wsgi [-] 'name'
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi Traceback (most recent call last):
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     result = method(context, **params)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 127, in authenticate
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 44, in _wrapper
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     return f(*args, **kw)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 362, in issue_v2_token
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     token_ref, roles_ref, catalog_ref)
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 57, in format_token
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi     'name': user_ref['name'],
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi KeyError: 'name'
  2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi 
  2014-02-17 06:48:37.474 8207 INFO access [-] 192.168.1.128 - - [17/Feb/2014:11:48:37 +0000] "POST http://192.168.1.128:35357/v2.0/tokens HTTP/1.0" 500 150

  It appears that the user_ref has no 'name' property when I try to use
  samAccountName.  This seems to have worked in Grizzly but does not
  work in Havana.  Below are the applicable lines from the
  keystone.conf:

  [ldap]
  query_scope = sub
  url = LDAP://192.168.1.253
  user = CN=ldapuser,CN=Users,DC=mydomain,DC=net
  password = ldapuserpassword
  suffix = DC=mydomain,DC=net
  use_dumb_member = True
  dumb_member = CN=ldapuser,CN=Users,DC=mydomain,DC=net

  user_tree_dn = CN=Users,DC=mydomain,DC=net
  user_objectclass = organizationalPerson
  user_id_attribute = samAccountName
  user_name_attribute = samAccountName
  user_mail_attribute = mail
  user_enabled_attribute = userAccountControl
  user_enabled_mask = 2
  user_enabled_default = 512
  user_attribute_ignore = password,tenant_id,tenants
  user_allow_create = False
  user_allow_update = False
  user_allow_delete = False

  tenant_tree_dn = OU=Projects,OU=OpenStack,DC=mydomain,DC=net
  tenant_objectclass = organizationalUnit
  tenant_id_attribute = ou
  tenant_member_attribute = member
  tenant_name_attribute = ou
  tenant_desc_attribute = description
  tenant_enabled_attribute = extensionName
  tenant_attribute_ignore = description,businessCategory,extensionName
  tenant_allow_create = True
  tenant_allow_update = True
  tenant_allow_delete = True

  role_tree_dn = OU=Roles,OU=OpenStack,DC=mydomain,DC=net
  role_objectclass = organizationalRole
  role_id_attribute = cn
  role_name_attribute = cn
  role_member_attribute = roleOccupant
  role_allow_create = True
  role_allow_update = True
  role_allow_delete = True

  Again, if I change the user_id_attribute and the user_name_attribute
  to cn then everything works fine.  Please advise.  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1281216/+subscriptions


References