yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #13939
[Bug 1281216] Re: Keystone Havana Authentication Error using samAccountName in Active Directory
** Also affects: keystone/icehouse
Importance: Undecided
Status: New
** Changed in: keystone/icehouse
Status: New => In Progress
** Changed in: keystone/icehouse
Importance: Undecided => Low
** Changed in: keystone/icehouse
Assignee: (unassigned) => Nathan Kinder (nkinder)
** Tags removed: icehouse-backport-potential
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1281216
Title:
Keystone Havana Authentication Error using samAccountName in Active
Directory
Status in OpenStack Identity (Keystone):
Fix Committed
Status in Keystone icehouse series:
In Progress
Bug description:
When using Active Directory as the LDAP backend for Keystone, if I use
the cn attribute for user_id_attribute and user_name_attribute,
authentication works fine. However, if I try to use samAccountName,
authentication fails. For example, keystone user-list returns the
following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. 'name' (HTTP 500)
and the login screen in Horizon shows: An error occurred
authenticating. Please try again later.
Also, the following trace is shown in the keystone.log:
2014-02-17 06:48:37.472 8207 ERROR keystone.common.wsgi [-] 'name'
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi result = method(context, **params)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 127, in authenticate
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 44, in _wrapper
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi return f(*args, **kw)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 362, in issue_v2_token
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi token_ref, roles_ref, catalog_ref)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 57, in format_token
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi 'name': user_ref['name'],
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi KeyError: 'name'
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi
2014-02-17 06:48:37.474 8207 INFO access [-] 192.168.1.128 - - [17/Feb/2014:11:48:37 +0000] "POST http://192.168.1.128:35357/v2.0/tokens HTTP/1.0" 500 150
It appears that the user_ref has no 'name' property when I try to use
samAccountName. This seems to have worked in Grizzly but does not
work in Havana. Below are the applicable lines from the
keystone.conf:
[ldap]
query_scope = sub
url = LDAP://192.168.1.253
user = CN=ldapuser,CN=Users,DC=mydomain,DC=net
password = ldapuserpassword
suffix = DC=mydomain,DC=net
use_dumb_member = True
dumb_member = CN=ldapuser,CN=Users,DC=mydomain,DC=net
user_tree_dn = CN=Users,DC=mydomain,DC=net
user_objectclass = organizationalPerson
user_id_attribute = samAccountName
user_name_attribute = samAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_tree_dn = OU=Projects,OU=OpenStack,DC=mydomain,DC=net
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
role_tree_dn = OU=Roles,OU=OpenStack,DC=mydomain,DC=net
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True
Again, if I change the user_id_attribute and the user_name_attribute
to cn then everything works fine. Please advise. Thanks!
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1281216/+subscriptions
References