<div dir="ltr">Dear All,<div><br></div><div>I have 3 node openstack (controller + compute+ storage node) deployment. I have integrated keystone with OpenLDAP.</div><div><br></div><div>I have configure keystone to do authentication through LDAP and assignment from SQL.</div>
<div><br></div><div>Here is configuration entry in keystone.conf</div><div><br></div><div><div>[identity]</div><div><br></div><div>driver = keystone.identity.backends.ldap.Identity</div><div><br></div><div>[assignment]</div>
<div><br></div><div>driver = keystone.assignment.backends.sql.Assignment</div></div><div><br></div><div><br></div><div>Here is LDAP Schema:</div><div><br></div><div><div># cat tcl.ldif</div><div>dn: dc=TCL</div><div>dc: TCL</div>
<div>objectclass: top</div><div>objectclass: domain</div><div><br></div><div>dn: ou=TCL,dc=TCL</div><div>objectClass: organizationalUnit</div><div>objectClass: top</div><div>ou: TCL</div></div><div><br></div><div>I have manually created openstack service user and admin user so that the LDAP driver can place necessary details in LDAP database. I am able to login to openstack as admin user and all functionality are working fine post LDAP integration.</div>
<div><br></div><div> Here is my LDAP schema with admin and service user. </div><div><br></div><div><div># ldapsearch -x -h <localhost> -W -D"dc=Manager,dc=TCL" -b dc=TCL }} </div>
<div>Enter LDAP Password:</div><div><br></div><div><br></div><div># extended LDIF</div><div>#</div><div># LDAPv3</div><div># base <dc=TCL> with scope subtree</div><div># filter: (objectclass=*)</div><div># requesting: }}</div>
<div>#</div><div><br></div><div># TCL</div><div>dn: dc=TCL</div><div><br></div><div># TCL, TCL</div><div>dn: ou=TCL,dc=TCL</div><div><br></div><div># a8f8ed812aba458ba42d0fbfc0145bd4, TCL, TCL</div><div>dn: cn=a8f8ed812aba458ba42d0fbfc0145bd4,ou=TCL,dc=TCL</div>
<div><br></div><div># c8d9eef1a2044f08b6ae5eb509ff3c83, TCL, TCL</div><div>dn: cn=c8d9eef1a2044f08b6ae5eb509ff3c83,ou=TCL,dc=TCL</div><div><br></div><div># 8c4a189b78204b2c87a9e70997afa4fe, TCL, TCL</div><div>dn: cn=8c4a189b78204b2c87a9e70997afa4fe,ou=TCL,dc=TCL</div>
<div><br></div><div># 5c90951603a444db826eb48672843183, TCL, TCL</div><div>dn: cn=5c90951603a444db826eb48672843183,ou=TCL,dc=TCL</div><div><br></div><div># 1c60c85acf3942cebbdec91fea1d9b75, TCL, TCL</div><div>dn: cn=1c60c85acf3942cebbdec91fea1d9b75,ou=TCL,dc=TCL</div>
<div><br></div><div># bbc4d9fa57724d31ba016f572951a474, TCL, TCL</div><div>dn: cn=bbc4d9fa57724d31ba016f572951a474,ou=TCL,dc=TCL</div><div><br></div><div># 78839ea49f82468b831efb6c08167360, TCL, TCL</div><div>dn: cn=78839ea49f82468b831efb6c08167360,ou=TCL,dc=TCL</div>
<div><br></div><div># search result</div><div>search: 2</div><div>result: 0 Success</div><div><br></div><div># numResponses: 10</div><div># numEntries: 9</div></div><div><br></div><div>Now I am trying to enable Keystone V3.0 API. I am following this url : <a href="http://www.florentflament.com/blog/setting-keystone-v3-domains.html">http://www.florentflament.com/blog/setting-keystone-v3-domains.html</a></div>
<div><br></div><div><div>ADMIN_TOKEN=$(\</div><div>curl <a href="http://192.169.0.2:5000/v3/auth/tokens">http://192.169.0.2:5000/v3/auth/tokens</a> \</div><div> -s \</div><div> -i \</div><div> -H "Content-Type: application/json" \</div>
<div> -d '</div><div>{</div><div> "auth": {</div><div> "identity": {</div><div> "methods": [</div><div> "password"</div><div> ],</div>
<div> "password": {</div><div> "user": {</div><div> "domain": {</div><div> "name": "Default"</div><div>
},</div><div> "name": "admin",</div><div> "password": "I0DzaQ3LkSUpS1eW89"</div><div> }</div><div> }</div>
<div> },</div><div> "scope": {</div><div> "project": {</div><div> "domain": {</div><div> "name": "Default"</div>
<div> },</div><div> "name": "admin"</div><div> }</div><div> }</div><div> }</div><div>}' | grep ^X-Subject-Token: | awk '{print $2}' )</div>
<div><br></div><div><br></div><div><br></div><div># echo $ADMIN_TOKEN</div><div><br></div><div>be1a1c02623740aeb72fa8c2dfdb8bbb</div><div><br></div><div><br></div><div><br></div><div>ID_ADMIN_DOMAIN=$(\</div><div>curl <a href="http://192.169.0.2:5000/v3/domains">http://192.169.0.2:5000/v3/domains</a> \</div>
<div> -s \</div><div> -H "X-Auth-Token: $ADMIN_TOKEN" \</div><div> -H "Content-Type: application/json" \</div><div> -d '</div><div>{</div><div> "domain": {</div><div> "enabled": true,</div>
<div> "name": "admin_domain"</div><div> }</div><div>}' | jq .<a href="http://domain.id">domain.id</a> | tr -d '"' )</div><div><br></div><div><br></div><div># echo $ID_ADMIN_DOMAIN</div>
<div>null</div><div><br></div><div>I am getting the below error message:</div><div><br></div><div>{"error": {"message": "Conflict occurred attempting to store domain. (IntegrityError) (1062, \"Duplicate entry 'admin_domain' for key 'name'\") 'INSERT INTO domain (id, name, enabled, extra) VALUES (%s, %s, %s, %s)' ('ea3e791ffa524ca29e43099682ceee8f', 'admin_domain', 1, '{}')", "code": 409, "title": "Conflict"}}</div>
<div><br></div><div><br></div><div>It says that admin_domain is already exist. It seems by default it comes with admin_domain and default domain. Here is my domain list.</div><div><br></div><div><br></div><div># curl -X GET -H "X-Auth-token:$ADMIN_TOKEN" <a href="http://192.169.0.2:5000/v3/domains">http://192.169.0.2:5000/v3/domains</a> | jq '.domains'</div>
<div> </div><div>[</div><div> {</div><div> "name": "admin_domain",</div><div> "links": {</div><div> "self": "<a href="http://192.169.0.2:5000/v3/domains/1fdf6cd4da99480797d3e2a08d6a8591">http://192.169.0.2:5000/v3/domains/1fdf6cd4da99480797d3e2a08d6a8591</a>"</div>
<div> },</div><div> "id": "1fdf6cd4da99480797d3e2a08d6a8591",</div><div> "enabled": true</div><div> },</div><div> {</div><div> "id": "default",</div><div> "name": "Default",</div>
<div> "description": "Owns users and tenants (i.e. projects) available on Identity API v2.",</div><div> "enabled": true,</div><div> "links": {</div><div> "self": "<a href="http://192.169.0.2:5000/v3/domains/default">http://192.169.0.2:5000/v3/domains/default</a>"</div>
<div> }</div><div> }</div><div>]</div><div><br></div><div><br></div><div>I have manually added ID_CLOUD_ADMIN variable.</div><div><br></div><div># ID_CLOUD_ADMIN=1fdf6cd4da99480797d3e2a08d6a8591</div><div><br></div><div>
# echo $ID_CLOUD_ADMIN</div><div><br></div><div>1fdf6cd4da99480797d3e2a08d6a8591</div><div><br></div><div>The problem is when I try to create cloud_admin user it fails with Could not find domain.</div><div><br></div><div>
ID_CLOUD_ADMIN=$(\</div><div>curl <a href="http://192.169.0.2:5000/v3/users">http://192.169.0.2:5000/v3/users</a> \</div><div> -s \</div><div> -H "X-Auth-Token: $ADMIN_TOKEN" \</div><div> -H "Content-Type: application/json" \</div>
<div> -d "</div><div>{</div><div> \"user\": {</div><div> \"description\": \"Cloud administrator\",</div><div> \"domain_id\": \"$ID_ADMIN_DOMAIN\",</div>
<div> \"enabled\": true,</div><div> \"name\": \"cloud_admin\",</div><div> \"password\": \"password\"</div><div> }</div><div>}" | jq .<a href="http://user.id">user.id</a> | tr -d '"' )</div>
<div><br></div><div><br></div><div># echo $ID_CLOUD_ADMIN</div><div>null</div><div><br></div><div>{"error": {"message": "Could not find domain, null.", "code": 404, "title": "Not Found"}}<br>
</div><div><br></div><div>Any body faced similar issue?<br></div><div><br></div><div>Do I need to delete existing admin_domain and create it again?<br></div></div><div><br></div><div>I need some one help to understand it better.</div>
<div><br></div><div>Thanks for your time.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div>