[openstack-dev] [Keystone V3] not able to cloud_admin user within the admin_domain domain

foss geek thefossgeek at gmail.com
Thu Jul 17 05:33:20 UTC 2014


Dear All,

I have 3 node openstack (controller + compute+ storage node) deployment. I
have integrated keystone with OpenLDAP.

I have configure keystone to do authentication through LDAP and assignment
from SQL.

Here is configuration entry in keystone.conf

[identity]

driver = keystone.identity.backends.ldap.Identity

[assignment]

driver = keystone.assignment.backends.sql.Assignment


Here is LDAP Schema:

# cat tcl.ldif
dn: dc=TCL
dc: TCL
objectclass: top
objectclass: domain

dn: ou=TCL,dc=TCL
objectClass: organizationalUnit
objectClass: top
ou: TCL

I have manually created openstack service user and admin user so that the
LDAP driver can place necessary details  in LDAP database. I am able to
login to openstack as admin user and all functionality are working fine
post LDAP integration.

 Here is my LDAP schema with admin and service user.

# ldapsearch -x -h <localhost> -W -D"dc=Manager,dc=TCL" -b dc=TCL }}

Enter LDAP Password:


# extended LDIF
#
# LDAPv3
# base <dc=TCL> with scope subtree
# filter: (objectclass=*)
# requesting: }}
#

# TCL
dn: dc=TCL

# TCL, TCL
dn: ou=TCL,dc=TCL

# a8f8ed812aba458ba42d0fbfc0145bd4, TCL, TCL
dn: cn=a8f8ed812aba458ba42d0fbfc0145bd4,ou=TCL,dc=TCL

# c8d9eef1a2044f08b6ae5eb509ff3c83, TCL, TCL
dn: cn=c8d9eef1a2044f08b6ae5eb509ff3c83,ou=TCL,dc=TCL

# 8c4a189b78204b2c87a9e70997afa4fe, TCL, TCL
dn: cn=8c4a189b78204b2c87a9e70997afa4fe,ou=TCL,dc=TCL

# 5c90951603a444db826eb48672843183, TCL, TCL
dn: cn=5c90951603a444db826eb48672843183,ou=TCL,dc=TCL

# 1c60c85acf3942cebbdec91fea1d9b75, TCL, TCL
dn: cn=1c60c85acf3942cebbdec91fea1d9b75,ou=TCL,dc=TCL

# bbc4d9fa57724d31ba016f572951a474, TCL, TCL
dn: cn=bbc4d9fa57724d31ba016f572951a474,ou=TCL,dc=TCL

# 78839ea49f82468b831efb6c08167360, TCL, TCL
dn: cn=78839ea49f82468b831efb6c08167360,ou=TCL,dc=TCL

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

Now I am trying to enable Keystone V3.0 API. I am following this url :
http://www.florentflament.com/blog/setting-keystone-v3-domains.html

ADMIN_TOKEN=$(\
curl http://192.169.0.2:5000/v3/auth/tokens \
    -s \
    -i \
    -H "Content-Type: application/json" \
    -d '
{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "admin",
                    "password": "I0DzaQ3LkSUpS1eW89"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "Default"
                },
                "name": "admin"
            }
        }
    }
}' | grep ^X-Subject-Token: | awk '{print $2}' )



# echo $ADMIN_TOKEN

be1a1c02623740aeb72fa8c2dfdb8bbb



ID_ADMIN_DOMAIN=$(\
curl http://192.169.0.2:5000/v3/domains \
    -s \
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    -H "Content-Type: application/json" \
    -d '
{
    "domain": {
    "enabled": true,
    "name": "admin_domain"
    }
}' | jq .domain.id | tr -d '"' )


# echo $ID_ADMIN_DOMAIN
null

I am getting the below error message:

{"error": {"message": "Conflict occurred attempting to store domain.
(IntegrityError) (1062, \"Duplicate entry 'admin_domain' for key 'name'\")
'INSERT INTO domain (id, name, enabled, extra) VALUES (%s, %s, %s, %s)'
('ea3e791ffa524ca29e43099682ceee8f', 'admin_domain', 1, '{}')", "code":
409, "title": "Conflict"}}


It says that admin_domain is already exist. It seems by default it comes
with admin_domain and default domain. Here is my domain list.


# curl -X GET -H "X-Auth-token:$ADMIN_TOKEN"
http://192.169.0.2:5000/v3/domains | jq '.domains'

[
  {
    "name": "admin_domain",
    "links": {
      "self": "
http://192.169.0.2:5000/v3/domains/1fdf6cd4da99480797d3e2a08d6a8591"
    },
    "id": "1fdf6cd4da99480797d3e2a08d6a8591",
    "enabled": true
  },
  {
    "id": "default",
    "name": "Default",
    "description": "Owns users and tenants (i.e. projects) available on
Identity API v2.",
    "enabled": true,
    "links": {
      "self": "http://192.169.0.2:5000/v3/domains/default"
    }
  }
]


I have manually added ID_CLOUD_ADMIN variable.

# ID_CLOUD_ADMIN=1fdf6cd4da99480797d3e2a08d6a8591

# echo $ID_CLOUD_ADMIN

1fdf6cd4da99480797d3e2a08d6a8591

The problem is when I try to create cloud_admin user it fails with Could
not find domain.

ID_CLOUD_ADMIN=$(\
curl http://192.169.0.2:5000/v3/users \
    -s \
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    -H "Content-Type: application/json" \
    -d "
{
    \"user\": {
        \"description\": \"Cloud administrator\",
        \"domain_id\": \"$ID_ADMIN_DOMAIN\",
        \"enabled\": true,
        \"name\": \"cloud_admin\",
        \"password\": \"password\"
    }
}" | jq .user.id | tr -d '"' )


# echo $ID_CLOUD_ADMIN
null

{"error": {"message": "Could not find domain, null.", "code": 404, "title":
"Not Found"}}

Any body faced similar issue?

Do I need to delete existing admin_domain and create it again?

I need some one help to understand it better.

Thanks for your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140717/bac929e5/attachment.html>


More information about the OpenStack-dev mailing list