← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #53577

[Bug 1600187] [NEW] Ironic does not authenticate correctly when using Keystone v3 AD/LDAP domain

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I was in discussion about a problem at: https://bugs.launchpad.net/nova/+bug/1580703 
because i had similar symptoms. I have posted my initial error logs in that thread.

I found out that the OP solution worked in a plain (non-Active
Directory/LDAP backend domain) Keystone v3 configuration (with v2
enabled endpoints). In our production environment, which runs Mitaka, I
have configured Active Directory as a LDAP backend domain for Keystone.
All our users, including the service accounts, are created in Active
Directory.

Ironic doesn't handle this well. The rest of the services are working
perfectly. Nova could not authenticate and left me with "Rejected
requests" on the Ironic-Api.

If I create a "local" user in the default domain (e.g. a NOT in Active
Directory) then Ironic can authenticate with Keystone without any
problems.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: ironic

** Tags added: ironic

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1600187

Title:
  Ironic does not authenticate correctly when using Keystone v3 AD/LDAP
  domain

Status in OpenStack Compute (nova):
  New

Bug description:
  I was in discussion about a problem at: https://bugs.launchpad.net/nova/+bug/1580703 
  because i had similar symptoms. I have posted my initial error logs in that thread.

  I found out that the OP solution worked in a plain (non-Active
  Directory/LDAP backend domain) Keystone v3 configuration (with v2
  enabled endpoints). In our production environment, which runs Mitaka,
  I have configured Active Directory as a LDAP backend domain for
  Keystone. All our users, including the service accounts, are created
  in Active Directory.

  Ironic doesn't handle this well. The rest of the services are working
  perfectly. Nova could not authenticate and left me with "Rejected
  requests" on the Ironic-Api.

  If I create a "local" user in the default domain (e.g. a NOT in Active
  Directory) then Ironic can authenticate with Keystone without any
  problems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1600187/+subscriptions
  Thread PreviousDate PreviousThread Next