[Openstack] Havana / LDAP(AD) / You are not authorized for any projects.

Michael Petersen mpetersen at mirantis.com
Tue Nov 18 23:00:12 UTC 2014


Ethan,

If you are going back and setting this up again you'll have to run the same
steps you would with a normal keystone configuration. You'll need to make
sure that you have applied the role Admin to the cloudadmin user. Then
you'll need to make sure it is associated with the correct tenant again.

When I set this up originally I was doing a recursive search for groups as
well so you'll need to look into that. I also had to make modifications to
openssl to allow TLS to work with LDAPS and import certs so you should test
this with ldap if you don't have the same configuration.

Did you actually save the keystone.conf with the original search strings
and configuration? It took me a little while to get it to the correct state
for Havana.

Regards,

Michael Petersen



On Tue, Nov 18, 2014 at 2:37 PM, <ethan at 757.org> wrote:

> After difficulty and downtime spent with Icehouse we rolled back to Havana
> as we had a once-working config that was integrated with our Active
> Directory server.
>
> Everything was rebuilt, and things work fine with the exception of LDAP,
> again.
>
> I'm fairly confident the system is passing the username/password
> validation part, but fails with a "You are not authorized for any projects."
>
> I've read pretty much every page on the internet related to LDAP and
> OpenStack over the past week, and do know there is notes about this error
> on the earlier Grizzly version but they were corrected by the time Havana
> was deployed here.
>
> When a valid account is supplied, the front Web end replies with a "You
> are not authorized for any projects."
>
> In the database tables, the user is assigned to the admin project. The
> admin project under_project_metadata table has two user IDs assigned to it
> including the account I'm trying to use.
>
> On the LDAP side there are accounts for all of the services, but I am not
> sure if the tokens are making it through.
>
> The setup has the ldap driver enabled for identity and sql driver enabled
> for Assignment and Catalog.
>
>
> Any help is greatly appreciated. My coworkers went to the redhat openstack
> courses and such but I don't' believe the LDAP stuff was covered and this
> seems more like a bug. I really wish I had saved a copy of the LDAP core.py
> module from the working install so I could narrow down when in time the
> code was from :-(
>
> The logging in Icehouse is of course improved over Havana:
>
>
> 2014-11-18 22:15:40.573 17771 WARNING keystone.common.wsgi [-]
> Authorization failed. The request you have made requires authentication.
> from 10.100.x.x
> 2014-11-18 22:16:06.848 17771 WARNING keystone.common.wsgi [-]
> Authorization failed. The request you have made requires authentication.
> from 10.100.x.x
> 2014-11-18 22:18:21.515 17771 WARNING keystone.common.wsgi [-]
> Authorization failed. The request you have made requires authentication.
> from 10.100.x.x
> 2014-11-18 22:18:32.477 17771 WARNING keystone.common.wsgi [-]
> Authorization failed. The request you have made requires authentication.
> from 10.100.x.x
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>



-- 
Michael Petersen
OpenStack Operations Engineer
Mirantis, Inc.
(650) 963-9828 x1041
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20141118/720f22fe/attachment.html>


More information about the Openstack mailing list