[Openstack-operators] ldap INVALID_CREDENTIALS

Sharif Islam islamsh at indiana.edu
Fri Aug 26 14:43:35 UTC 2011

Hash: SHA1


I was able to use an existing ldap user account and bind.

As I mentioned in my original post, I am using my existing openldap
server which has different sets of users than the ones I created in
nova. So now, 'nova-manage user list' returns nothing which make sense.
Also when I do euca-describe-instances, I get the 403 error:

Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 403 Forbidden
403 Forbidden.

- From nova-api.log:

2011-08-26 10:27:54,644 nova: Starting /usr/bin/nova-api on
2011-08-26 10:27:54,646 nova: Starting /usr/bin/nova-api on
2011-08-26 10:28:09,086 nova.auth.manager: Looking up user:
2011-08-26 10:28:09,150 nova.auth.manager: user: None
2011-08-26 10:28:09,150 nova.auth.manager: Failed authorization for
access key 70b709b7-82d1-404c-873a-8a7b116fec24
2011-08-26 10:28:09,150 nova.api: Authentication Failure: No user found
for access key 70b709b7-82d1-404c-873a-8a7b116fec24
2011-08-26 10:28:09,150 nova.api: 0.91012s GET
/services/Cloud/ None:None 403 [Boto/1.9b (linux2)] text/plain text/html

My main question/confusion is how do I use my existing ldap user/group
in nova?

settings in nova.conf:

- --ldap_user_dn= cn=Manager,dc=university,dc=org
- --ldap_user_unit=People

According to this blog post

"Nova stores its users, projects and roles (global and per-project) in
LDAP. Necessary schema files are in /nova/auth dir in the Nova source
distribution. The following describes how Nova stores each of these
object types.

Users are stored as objects with a novaUser class. They have mandatory
accessKey, secretKey and isNovaAdmin (self-explanatory) attributes along
with customizable attributes set by flags ldap_user_id_attribute (uid by
default) and ldap_user_name_attribute (cn). To use the latter ones, it
assigns person, organizationalPerson and inetOrgPerson to all newly
created users. All users are stored and searched for in the LDAP subtree
defined by ldap_user_subtree and ldap_user_unit."

So if I create a user from nova-manage now, will it create an user in
ldap? I have the standard ldap schema, so I don't novaUser class. Can I
use ldap in nova without creating novaUser class?


- --sharif

On 08/24/2011 04:43 PM, Sharif Islam wrote:
> Usually when I query ldap from perl or java, I create an anonymous bind.
> I am not sure what openstack requires in this case.
> --auth_driver=nova.auth.ldapdriver.LdapDriver
> --ldap_url=ldap://$nova_ldap_host
> --ldap_password=$nova_ldap_user_pass
> --ldap_user_dn=$nova_ldap_user_dn
> This is my setting:
> --auth_driver=nova.auth.ldapdriver.LdapDriver
> --ldap_url=ldap://myldap.univeristy.org
> --ldap_user_dn= uid=sharif,ou=People,dc=university,dc=org
> This is from nova-manage log:
> (nova): TRACE:   File
> "/usr/lib/python2.6/site-packages/nova/auth/ldapdriver.py", line 120, in
> __enter__
> (nova): TRACE:     self.conn.simple_bind_s(FLAGS.ldap_user_dn,
> FLAGS.ldap_password)
> (nova): TRACE:   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 207, in
> simple_bind_s
> (nova): TRACE:     return self.result(msgid,all=1,timeout=self.timeout)
> (nova): TRACE:   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 436, in result
> (nova): TRACE:     res_type,res_data,res_msgid =
> self.result2(msgid,all,timeout)
> (nova): TRACE:   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 440, in
> result2
> (nova): TRACE:     res_type, res_data, res_msgid, srv_ctrls =
> self.result3(msgid,all,timeout)
> (nova): TRACE:   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 446, in
> result3
> (nova): TRACE:     ldap_result =
> self._ldap_call(self._l.result3,msgid,all,timeout)
> (nova): TRACE:   File
> "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in
> _ldap_call
> (nova): TRACE:     result = func(*args,**kwargs)
> (nova): TRACE: INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
> From nova-api:
> 2011-08-24 16:32:48,828 nova.auth.manager: Looking up user:
> '70b709b7-82d1-404c-873a-8a7b116fec24'
> 2011-08-24 16:32:56,902 nova.auth.manager: Looking up user:
> '70b709b7-82d1-404c-873a-8a7b116fec24'
> 2011-08-24 16:33:12,989 nova.auth.manager: Looking up user:
> '70b709b7-82d1-404c-873a-8a7b116fec24
> --sharif
Openstack-operators mailing list
Openstack-operators at lists.openstack.org

- -- 
Sharif Islam
Senior Systems Analyst/Programmer
FutureGrid (http://futuregrid.org)
Pervasive Technology Institute, Indiana University Bloomington
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Openstack-operators mailing list