[Openstack] [Keystone] Creating tenant failed when using ldap as identity backend: 'attribute type undefined'

Yanping Xie irsxyp at gmail.com
Wed Sep 5 11:24:00 UTC 2012

Hi, all

I am trying to setup keystone to use ldap as backend, but failed on
creating the first tenant.

# keystone tenant-create --name=admin
An unexpected error prevented the server from fulfilling your request.
{'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute
type'} (HTTP 500)

Here is my keystone config about ldap(snippets from keystone.log):
ldap.tenant_member_attribute   = member
ldap.tenant_name_attribute     = ou
ldap.tenant_objectclass        = groupOfNames
ldap.tenant_tree_dn            = ou=Group,dc=example,dc=com
ldap.url                       = ldap://182.xxx.29.250
ldap.use_dumb_member           = False
ldap.user                      = cn=Manager,dc=example,dc=com
ldap.user_id_attribute         = cn
ldap.user_name_attribute       = sn
ldap.user_objectclass          = inetOrgPerson
ldap.user_tree_dn              = ou=User,dc=example,dc=com

Ldap server migration file to initialize ldap:
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: The Example Corporation

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=User,dc=example,dc=com
ou: User
objectClass: top
objectClass: organizationalUnit

dn: ou=Role,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit

Related keytone log is as follows:
2012-09-05 18:45:33    DEBUG [keystone.common.ldap.core] LDAP init:
2012-09-05 18:45:33    DEBUG [keystone.common.ldap.core] LDAP bind:
2012-09-05 18:45:33    DEBUG [keystone.common.ldap.core] LDAP add:
attrs=[('objectClass', ['groupOfNames']), (
'enabled', ['TRUE']), ('ou', ['admin']), ('member',
2012-09-05 18:45:33    ERROR [root] {'info': 'enabled: attribute type
undefined', 'desc': 'Undefined attribute type'}
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line
204, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line
397, in create_tenant
    context, tenant_ref['id'], tenant_ref)
  File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line
47, in _wrapper
    return f(*args, **kw)
line 208, in create_tenant
    return self.tenant.create(tenant)
line 492, in create
    return super(TenantApi, self).create(data)
  File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py",
line 179, in create
    conn.add_s(self._id_to_dn(values['id']), attrs)
  File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py",
line 310, in add_s
    return self.conn.add_s(dn, ldap_attrs)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 194,
in add_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436,
in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440,
in result2
    res_type, res_data, res_msgid, srv_ctrls =
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446,
in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
    result = func(*args,**kwargs)
*UNDEFINED_TYPE: {'info': 'enabled: attribute type undefined', 'desc':
'Undefined attribute type'}*

And the ldap server log is as follows:
Sep  5 18:45:33 ldaps slapd[7946]: conn=1011 op=1 ADD
Sep  5 18:45:33 ldaps slapd[7946]: send_ldap_result: conn=1011 op=1 p=3
Sep  5 18:45:33 ldaps slapd[7946]: send_ldap_result: err=17 matched=""
text="enabled: attribute type undefined"
Sep  5 18:45:33 ldaps slapd[7946]: send_ldap_response: msgid=2 tag=105
*Sep  5 18:45:33 ldaps slapd[7946]: conn=1011 op=1 RESULT tag=105 err=17
text=enabled: attribute type undefined*

This problem makes me crazy for quite a while. Can anyone help me out?
Really appricate your help.

Best Regards.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120905/32f42ac5/attachment.html>

More information about the Openstack mailing list