← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1643301] Re: bootstrapping keystone failed when LDAP backend is in use

 

This was discussed with Colleen and Kristi in IRC [0]. The following was
proposed

 - write a patch so that devstack always configures sql as the identity backend
 - when ldap is set as KEYSTONE_IDENTITY_BACKEND, ensure it's done in a domain-specific way
 - write a patch so keystone fails gracefully with an informative warning saying `bootstrap` is only intended for sql-based deployments

Thoughts on the approach?


[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-08-11.log.html#t2017-08-11T20:45:37

** Also affects: devstack
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1643301

Title:
  bootstrapping keystone failed when LDAP backend is in use

Status in devstack:
  In Progress
Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  "keystone-manage bootstrap" command is coded for SQL backend, it's
  should be okay if admin token is always supported by keystone, but we
  have a plan to remove the support of admin token since it's expose a
  security risk. And the patch to remove the support of write operation
  for LDAP backend is on the fly.

  Based on the above consideration, we should enable the bootrapping
  keystone when using LDAP backend, but it currently not work sometimes,
  for example.

  
  # keystone-manage bootstrap --bootstrap-username Dave --bootstrap-password abc123 --bootstrap-project-name admin --bootstrap-role-name admin
  	
  	
  	2016-10-27 16:26:29.845 11359 TRACE keystone     return self.result(msgid,all=1,timeout=self.timeout)
  	2016-10-27 16:26:29.845 11359 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 497, in result
  	2016-10-27 16:26:29.845 11359 TRACE keystone     resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  	2016-10-27 16:26:29.845 11359 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 501, in result2
  	2016-10-27 16:26:29.845 11359 TRACE keystone     resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  	2016-10-27 16:26:29.845 11359 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 508, in result3
  	2016-10-27 16:26:29.845 11359 TRACE keystone     resp_ctrl_classes=resp_ctrl_classes
  	2016-10-27 16:26:29.845 11359 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 515, in result4
  	2016-10-27 16:26:29.845 11359 TRACE keystone     ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  	2016-10-27 16:26:29.845 11359 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
  	2016-10-27 16:26:29.845 11359 TRACE keystone     result = func(*args,**kwargs)
  	2016-10-27 16:26:29.845 11359 TRACE keystone UNDEFINED_TYPE: {'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute type'}

To manage notifications about this bug go to:
https://bugs.launchpad.net/devstack/+bug/1643301/+subscriptions


References