[Openstack] Keystone: domain_specific_drivers_enabled not working with LDAP
Tristan Evans
azurepancake at gmail.com
Tue Jul 25 15:49:28 UTC 2017
Hi,
I am running OpenStack Ocata that as originally provisioned using RDO
Packstack.
I currently have Keystone configured to use a single identity backend which
is LDAP. Everything works great with this configuration except Heat and
Magnum. Through some troubleshooting, it appears the problem may be that
these services operate within their own domains ("heat" and "magnum"
respectively). This results in errors like the below (in keystone.log) when
trying to build a cluster with Magnum:
2017-07-20 11:12:22.509 7494 ERROR
magnum.conductor.handlers.common.trust_manager Failed to create trustee and
trust for Cluster
2017-07-20 11:12:22.509 7494 ERROR
magnum.conductor.handlers.common.trust_manager NotFound: Could not find
domain: f950f5d49d8f4acba4790113580a956f. (HTTP 404)
I also caught the below as well:
2017-07-20 10:32:24.122 20553 WARNING keystone.identity.core Found multiple
domains being mapped to a driver that does not support that (e.g. LDAP)
2017-07-20 10:32:24.122 20553 WARNING keystone.common.wsgi Could not find
domain: f950f5d49d8f4acba4790113580a956f.
The domain does indeed exist:
# openstack domain list
90a99943256b4a22a5c51352d428a7e5 | heat | True
default | Default | True | The default domain
f950f5d49d8f4acba4790113580a956f | magnum | True
So through some research, I found that I can configure the below settings
in keystone.conf to choose specific drivers for specific domains:
[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains
And then migrate my entire "[ldap]" configuration as
/etc/keystone/domains/keystone.Default.conf.
I then restart httpd and attempt to list domains:
# openstack domain list
An unexpected error prevented the server from fulfilling your request.
(HTTP 500) (Request-ID: req-9d64587c-8bda-401b-83df-a0c166ea629b)
If I look up that request ID in the log:
2017-07-20 14:36:46.828 2621 DEBUG keystone.middleware.auth
[req-9d64587c-8bda-401b-83df-a0c166ea629b - - - - -] There is either no
auth token in the request or the certificate issuer is not trusted. No auth
context will be set. fill_context
/usr/lib/python2.7/site-packages/keystone/middleware/auth.py:188
2017-07-20 14:36:46.829 2621 INFO keystone.common.wsgi
[req-9d64587c-8bda-401b-83df-a0c166ea629b - - - - -] POST
http://10.11.184.50:5000/v3/auth/tokens
2017-07-20 14:36:46.848 2621 WARNING keystone.common.wsgi
[req-9d64587c-8bda-401b-83df-a0c166ea629b - - - - -] An unexpected error
prevented the server from fulfilling your request.
I can't seem to find any other interesting errors in keystone.log. The
above just repeats over and over for each service attempting to
authenticate.
If I remove the "domain_specific_drivers_enabled" and "domain_config_dir"
options from keystone.conf (with my "[ldap]" configurations removed as
well), I can then successfully authenticate using MySQL for identity.
I'm at a total loss on what may be wrong, and confused as to why Heat and
Magnum need their own domains. Would anyone be able to help point me in the
right direction?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170725/e8b01198/attachment.html>
More information about the Openstack
mailing list