[Openstack] ldap/AD Integration on Icehouse
Erimer, Tarkan
tarkan.erimer at f-secure.com
Wed Jun 18 11:19:50 UTC 2014
Hi,
I was trying to integrate our test Icehouse openstack environment into the AD (Active Directory) in order to pilot user management through the AD. I've read official documentations regarding the topic :
http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html
https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD#Configuration_on_Keystone
http://openstack.redhat.com/Keystone_integration_with_IDM
All the above docs only explain just the keystone part. But, there is no doc how exactly the AD side should be configured.
Anyway, I've managed to come to a point where having the following error in keystone.log :
2014-06-18 10:56:35.024 1706 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:271
2014-06-18 10:56:35.063 1706 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-06-18 10:56:35.065 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.066 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.069 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.076 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(sAMAccountName=nova)(objectClass=Person)), attrs=['userPassword', 'userAccountControl', 'sAMAccountName', 'mail'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.079 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.081 1706 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-requests/1.1.0 CPython/2.6.6 Linux/2.6.32-431.17.1.el6.x86_64', 'address': '1.x.x.x'}, 'id': 'openstack:3b761d61-1f9c-463c-adc4-cf83a8873aaa', 'name': 'nova'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:b588a4a4-4537-4a3c-a56e-68d7518bbf69'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:35c9ba06-17b0-482f-b86a-c7407b698fe2'}, 'eventType': 'activity', 'eventTime': '2014-06-18T10:56:35.080881+0000', 'action': 'authenticate', 'outcome': 'pending', 'id': 'openstack:d4b86103-3dc9-4577-a9c4-74fc2cc4152c'} _send_audit_notification /usr/lib/python2.6/site-packages/keystone/notifications.py:289
2014-06-18 10:56:35.136 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('qpid = oslo.messaging._drivers.impl_qpid:QpidDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.136 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('zmq = oslo.messaging._drivers.impl_zmq:ZmqDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.136 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('kombu = oslo.messaging._drivers.impl_rabbit:RabbitDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.137 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('rabbit = oslo.messaging._drivers.impl_rabbit:RabbitDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.194 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('fake = oslo.messaging._drivers.impl_fake:FakeDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.195 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('log = oslo.messaging.notify._impl_log:LogDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.195 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('messagingv2 = oslo.messaging.notify._impl_messaging:MessagingV2Driver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.195 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('noop = oslo.messaging.notify._impl_noop:NoOpDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('routing = oslo.messaging.notify._impl_routing:RoutingDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('test = oslo.messaging.notify._impl_test:TestDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('messaging = oslo.messaging.notify._impl_messaging:MessagingDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('cinder.openstack.common.notifier.no_op_notifier = oslo.messaging.notify._impl_noop:NoOpDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('cinder.openstack.common.notifier.log_notifier = oslo.messaging.notify._impl_log:LogDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('cinder.openstack.common.notifier.test_notifier = oslo.messaging.notify._impl_test:TestDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('cinder.openstack.common.notifier.rpc_notifier2 = oslo.messaging.notify._impl_messaging:MessagingV2Driver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('cinder.openstack.common.notifier.rpc_notifier = oslo.messaging.notify._impl_messaging:MessagingDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('nova.openstack.common.notifier.no_op_notifier = oslo.messaging.notify._impl_noop:NoOpDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('nova.openstack.common.notifier.test_notifier = oslo.messaging.notify._impl_test:TestDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('nova.openstack.common.notifier.rpc_notifier = oslo.messaging.notify._impl_messaging:MessagingDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.198 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('nova.openstack.common.notifier.log_notifier = oslo.messaging.notify._impl_log:LogDriver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.198 1706 DEBUG stevedore.extension [-] found extension EntryPoint.parse('nova.openstack.common.notifier.rpc_notifier2 = oslo.messaging.notify._impl_messaging:MessagingV2Driver') _load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.199 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.200 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.200 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.205 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(cn=nova)(objectClass=Person)), attrs=['mail', 'userPassword', 'userAccountControl', 'sAMAccountName'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.207 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.208 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.209 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.210 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.215 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(cn=nova)(objectclass=Person)), attrs=None search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.218 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.218 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.219 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.220 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=nova,OU=services,OU=Projects,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.224 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.226 1706 DEBUG keystone.notifications [-] CADF Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', 'initiator': {'typeURI': 'service/security/account/user', 'host': {'agent': 'python-requests/1.1.0 CPython/2.6.6 Linux/2.6.32-431.17.1.el6.x86_64', 'address': '1.x.x.x'}, 'id': 'openstack:3b761d61-1f9c-463c-adc4-cf83a8873aaa', 'name': 'nova'}, 'target': {'typeURI': 'service/security/account/user', 'id': 'openstack:12c5c400-0a51-4477-baf4-b95c91ba60ad'}, 'observer': {'typeURI': 'service/security', 'id': 'openstack:d12b322f-9c1a-493f-ac0d-6727d37cff39'}, 'eventType': 'activity', 'eventTime': '2014-06-18T10:56:35.225896+0000', 'action': 'authenticate', 'outcome': 'success', 'id': 'openstack:aa435cf2-6fd2-4cce-a40e-53753cab55bf'} _send_audit_notification /usr/lib/python2.6/site-packages/keystone/notifications.py:289
2014-06-18 10:56:35.227 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.228 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.229 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.234 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['description', 'extensionName', 'businessCategory', 'ou'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.237 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.237 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.238 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.238 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.243 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['ou', 'description', 'businessCategory', 'extensionName'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.246 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.246 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.247 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.247 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.251 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['ou', 'description', 'businessCategory', 'extensionName'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.254 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.254 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.255 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.256 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.261 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['ou', 'description', 'businessCategory', 'extensionName'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.263 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.264 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.265 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.266 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.270 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(ou=services)(objectclass=organizationalUnit)), attrs=None search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.273 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.273 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.274 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.274 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.278 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=services,OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=1, query=(objectClass=organizationalRole), attrs=None search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.281 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.282 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.283 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.284 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.289 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(cn=nova)(objectClass=Person)), attrs=['mail', 'userPassword', 'userAccountControl', 'sAMAccountName'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.291 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.292 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.292 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.293 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.297 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(cn=nova)(objectclass=Person)), attrs=None search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.300 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.300 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.302 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.303 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.307 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=ou=UserGroups,dc=test,dc=local, scope=2, query=(&(&(objectClass=groupOfNames)(member=CN=nova,OU=services,OU=Projects,OU=iaas,OU=Other,DC=test,DC=local))(objectClass=groupOfNames)), attrs=['description', 'ou'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.310 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.336 1706 DEBUG keystone.openstack.common.db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER _mysql_check_effective_sql_mode /usr/lib/python2.6/site-packages/keystone/openstack/common/db/sqlalchemy/session.py:562
2014-06-18 10:56:35.384 1706 DEBUG keystone.common.ldap.core [-] LDAP init: url=ldap://1.x.x.x __init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.385 1706 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.386 1706 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:36.391 1706 DEBUG keystone.common.ldap.core [-] LDAP search: dn=OU=Roles,OU=iaas,OU=Other,DC=test,DC=local, scope=2, query=(&(cn=services)(objectClass=organizationalRole)), attrs=['cn'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:36.393 1706 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:36.471 1706 INFO eventlet.wsgi.server [-] 1.x.x.x - - [18/Jun/2014 10:56:36] "POST /v2.0/tokens HTTP/1.1" 200 8938 1.447416
2014-06-18 10:56:36.520 1706 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'project_id': u'services', 'user_id': u'nova', 'roles': [u'services']} process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:281
2014-06-18 10:56:36.523 1706 DEBUG keystone.common.wsgi [-] arg_dict: {'token_id': u'4dd244aee826e0ea0f1a27e7a9d42885'} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-06-18 10:56:36.525 1706 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token(token_id=4dd244aee826e0ea0f1a27e7a9d42885) _build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:54
2014-06-18 10:56:36.526 1706 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:59
2014-06-18 10:56:36.527 1706 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'project_id': u'services', 'user_id': u'nova', 'roles': [u'services']} enforce /usr/lib/python2.6/site-packages/keystone/policy/backends/rules.py:101
2014-06-18 10:56:36.536 1706 DEBUG keystone.openstack.common.policy [-] Rule identity:validate_token will be now enforced enforce /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:258
2014-06-18 10:56:36.537 1706 DEBUG keystone.openstack.common.fileutils [-] Reloading cached file /etc/keystone/policy.json read_cached_file /usr/lib/python2.6/site-packages/keystone/openstack/common/fileutils.py:63
2014-06-18 10:56:36.545 1706 DEBUG keystone.openstack.common.policy [-] Rules successfully reloaded load_rules /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:212
2014-06-18 10:56:36.546 1706 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:validate_token.
2014-06-18 10:56:36.548 1706 INFO eventlet.wsgi.server [-] 1.x.x.x - - [18/Jun/2014 10:56:36] "GET /v2.0/tokens/4dd244aee826e0ea0f1a27e7a9d42885 HTTP/1.1" 403 277 0.037631
2014-06-18 10:56:36.560 1706 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'project_id': u'services', 'user_id': u'nova', 'roles': [u'services']} process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:281
2014-06-18 10:56:36.563 1706 DEBUG keystone.common.wsgi [-] arg_dict: {'token_id': u'4dd244aee826e0ea0f1a27e7a9d42885'} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-06-18 10:56:36.563 1706 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token(token_id=4dd244aee826e0ea0f1a27e7a9d42885) _build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:54
2014-06-18 10:56:36.564 1706 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:59
2014-06-18 10:56:36.564 1706 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'project_id': u'services', 'user_id': u'nova', 'roles': [u'services']} enforce /usr/lib/python2.6/site-packages/keystone/policy/backends/rules.py:101
2014-06-18 10:56:36.565 1706 DEBUG keystone.openstack.common.policy [-] Rule identity:validate_token will be now enforced enforce /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:258
2014-06-18 10:56:36.565 1706 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:validate_token.
2014-06-18 10:56:36.566 1706 INFO eventlet.wsgi.server [-] 1.x.x.x - - [18/Jun/2014 10:56:36] "GET /v2.0/tokens/4dd244aee826e0ea0f1a27e7a9d42885 HTTP/1.1" 403 277 0.014182
Thus, not letting me in on the WebUI.
My keystone.conf ldap configuration is :
driver = keystone.identity.backends.ldap.Identity
[ldap]
query_scope = sub
url = ldap://1.x.x.x
user = CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
password = XXXXX
suffix = dc=test,dc=local
use_dumb_member = True
dumb_member = CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
user_tree_dn = OU=iaas,OU=Other,DC=test,DC=local
#user_objectclass = organizationalPerson
user_objectclass = Person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True
tenant_tree_dn = OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
role_tree_dn = OU=Roles,OU=iaas,OU=Other,DC=test,DC=local
#role_tree_dn = CN=admin,OU=Services,OU=Roles,OU=iaas,OU=Other,DC=test,DC=local
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True
Any pointers ?
Tarkan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140618/f08665b6/attachment.html>
More information about the Openstack
mailing list