[Openstack] Icehouse, LDAP/Active Directory Authentication, Invalid Password
Adam Young
ayoung at redhat.com
Mon Nov 17 15:23:28 UTC 2014
On 11/14/2014 02:08 PM, ethan at 757.org wrote:
>> 1. Authentication. This is done via a simple bind to the LDAP server
>> 2. Get user data. This is done as an LDAP query to the LDAP server
>> as the system LDAP user, not as the end user.
>> 3. Getting the roles for the user on the project. If you are
>> request a project scoped token, this would fail if the user had no
>> roles on the project.
>
>
> Okay, I managed to get our Icehouse system authenticating via AD/LDAP
> by going to git, fetching whatever the latest version of the core.py
> of LDAP and throwing it over top of the one that we're running (which
> is from yum repo from RDO?)
>
> Now we're hitting a:
> RESP BODY: {"error": {"message": "User OpenStack Admin is unauthorized
> for tenant c559b2ddf24d4ebc820d91111111111", "code": 401, "title":
> "Unauthorized"}}
Using the Service token, add a role (probably "Admin") for the user
"OpenStack Admin" on the project with id c559b2ddf24d4ebc820d91111111111
and it should authorize.
>
> (note 111's to scrub data, not natural)
>
>
> Which may be configuration issue on our side, or might be a result of
> throwing the latest core.py from LDAP on top of older baseline.
>
> Our keystone said it was 0.9.0 I believe.
>
> I got the core.py from here:
> https://github.com/openstack/keystone
>
> (Is that Juno release code?)
>
> The Icehouse system would bomb on the LDAP auth part after doing a
> long sequence of:
> ldap_get_values_len
> ldap_next_attribute
>
> where as the working Havana system would follow that up with a new
> LDAP query (most likely going after groups or other attributes) where
> as the non-working Icehouse I assume quits as password doesn't pass.
>
> I'm guessing (but am not sure) that the repeating calls are it
> comparing the password character by character or something? Not sure.
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list