[Openstack] How to configure Keystone with open LDAP + horizon on grizzly
yasith tharindu
yasithucsc at gmail.com
Wed May 29 14:48:02 UTC 2013
Now my authentication phase is right through ldap i guess. But Im getting a
error when try to login saying "You are not authorized for any projects."
My ldap configurations have been used by the keystone it seems. keystone
command gives following results.
root at ubuntu:/home/wso2/ldap#* keystone user-list*
WARNING: Bypassing authentication using a token & endpoint (authentication
credentials are being ignored).
+------+------+---------+------------------+
| id | name | enabled | email |
+------+------+---------+------------------+
| demo | demo | True | demo at example.com |
+------+------+---------+------------------+
root at ubuntu:/home/wso2/ldap# *keystone role-list*
WARNING: Bypassing authentication using a token & endpoint (authentication
credentials are being ignored).
+-------+-------+
| id | name |
+-------+-------+
| admin | Admin |
+-------+-------+
root at ubuntu:/home/wso2/ldap# *keystone tenant-list*
WARNING: Bypassing authentication using a token & endpoint (authentication
credentials are being ignored).
+-------+-------+---------+
| id | name | enabled |
+-------+-------+---------+
| admin | admin | True |
+-------+-------+---------+
But with nova commands return a error with the ldap user credentials.
#* nova image-list*
ERROR: Invalid OpenStack Nova credentials.
System variables I used as follows.
export OS_USERNAME=demo
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://192.168.1.111:5000/v2.0/
export OS_REGION_NAME=RegionOne
export SERVICE_ENDPOINT="http://192.168.1.111:35357/v2.0"
export SERVICE_TOKEN=012345SECRET99TOKEN012345
export OS_NO_CACHE=1
Following is the keystone log..
2013-05-29 02:45:20 DEBUG [keystone.common.ldap.core] LDAP search:
dn=ou=Tenants,dc=example,dc=com, scope=2,
query=(&(objectClass=organizationalRole)(roleOccupant=cn=demo,ou=Users,dc=example,dc=com)),
attrs=None
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi] ********************
RESPONSE HEADERS ********************
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi] Content-Type =
application/json
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi] Content-Length = 36
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi]
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi] ********************
RESPONSE BODY ********************
2013-05-29 02:45:20 DEBUG [keystone.common.wsgi] {"tenants_links": [],
"tenants": []}
2013-05-29 02:45:20 INFO [access] 127.0.0.1 - - [28/May/2013:21:15:20
+0000] "GET http://127.0.0.1:5000/v2.0/tenants HTTP/1.0" 200 36
2013-05-29 02:45:20 DEBUG [eventlet.wsgi.server] 127.0.0.1 - -
[29/May/2013 02:45:20] "GET /v2.0/tenants HTTP/1.1" 200 164 0.028584
And tenant config of keystone as follows;
tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_member_attribute = member
tenant_name_attribute = cn
tenant_domain_id_attribute = businessCategory
tenant_enabled_attribute = o
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
tenant_desc_attribute = description
*Any one have any suggestions??* It seems no tanents according to the log
"DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []} "
But i have enabled the user in the Tenant ldap group.
dn: cn=admin,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
cn: admin
o: True
businessCategory: default
description: Openstack admin Tenant
member: cn=demo,ou=Users,dc=example,dc=com
Thanks in advance..:)
On Mon, May 20, 2013 at 11:24 AM, yasith tharindu <yasithucsc at gmail.com>wrote:
> The question is posted on openstack ask page.
> https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/
>
> Error
>
> 2013-05-19 15:21:23 ERROR [root] 'domain_id'
> Traceback (most recent call last):
> File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__
> result = method(context, **params)
> File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 82, in authenticate
> core.validate_auth_info(self, context, user_ref, tenant_ref)
> File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 84, in validate_auth_info
> user_ref['domain_id'])
> KeyError: 'domain_id'
>
> 2013-05-19 15:21:23 DEBUG [keystone.common.wsgi] {"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'domain_id'", "code": 500, "title": "Internal Server Error"}}
>
> Keystone config
>
> ==========================================================================
> url = ldap://192.168.1.111
> user = cn=admin,dc=example,dc=com
> password = secret
> suffix = cn=example,cn=com
> use_dumb_member = False
> tree_dn = dc=example,dc=com
>
> user_tree_dn = ou=Users,dc=example,dc=com
> user_objectclass = inetOrgPerson
> user_id_attribute = cn
> user_name_attribute = sn
> user_pass_attribute = userPassword
> user_allow_create = True
> user_allow_update = True
> user_enabled_attribute = enabled
> user_enabled_default = True
> user_domain_id_attribute = None
>
> tenant_tree_dn = ou=Tenants,dc=example,dc=com
> tenant_objectclass = groupOfNames
> tenant_id_attribute = cn
> tenant_member_attribute = member
> tenant_name_attribute = ou
> tenant_domain_id_attribute = None
> tenant_allow_create = True
> tenant_allow_update = True
>
>
> role_tree_dn = ou=Roles,dc=example,dc=com
> role_objectclass = groupOfNames
> role_member_attribute = member
> role_id_attribute = cn
> role_name_attribute = ou
> role_allow_create = True
> role_allow_update = True
>
>
> ==============================================
>
> ldap config as follows.
>
> dn: dc=example,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: example Inc
> dc: example
>
>
> dn: cn=admin,dc=example,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword:: c2VjcmV0
>
>
>
> dn: ou=Users,dc=example,dc=com
> ou: users
> objectClass: organizationalUnit
> structuralObjectClass: organizationalUnit
>
>
> dn: ou=Roles,dc=example,dc=com
> ou: roles
> objectClass: organizationalUnit
> structuralObjectClass: organizationalUnit
>
>
> dn: ou=Tenants,dc=example,dc=com
> ou: tenants
> objectClass: organizationalUnit
>
>
>
> dn: cn=demo,ou=Users,dc=example,dc=com
> cn: demo
> displayName: demo
> givenName: demo
> mail: demo at example.com
> objectClass: inetOrgPerson
> objectClass: top
> sn: demo
> uid: demo
> userPassword:: c2VjcmV0
>
>
> dn: cn=admin,ou=Roles,dc=example,dc=com
> objectClass: groupOfNames
> cn: admin
> description: Openstack admin Role
> member: cn=demo,ou=Users,dc=example,dc=com
>
>
> dn: cn=admin,ou=Tenants,dc=example,dc=com
> objectClass: groupOfNames
> cn: admin
> description: Openstack admin Tenant
> member: cn=demo,ou=Users,dc=example,dc=com
>
> I would really appreciate your help
>
>
--
Thanks..
Regards...
Blog: http://www.yasith.info
Twitter : http://twitter.com/yasithnd
LinkedIn : http://www.linkedin.com/in/yasithnd
GPG Key ID : *57CEE66E*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130529/459601e3/attachment.html>
More information about the Openstack
mailing list