[Openstack] Issue with multi domains and LDAP backend

Chris Card ctcard at hotmail.com
Tue Feb 24 15:09:07 UTC 2015 

I have keystone set up with domain-specific configuration, with one domain (testdomain1) using LDAP as the identity backend, while the default domain is using the sql backend. 

The "openstack user list --domain testdomain1" command works ok, and shows the users from the LDAP backend:

# openstack user list --domain testdomain1
+------------------------------------------------------------------+-------+
| ID                                                               | Name  |
+------------------------------------------------------------------+-------+
| 94de8c8a8be4840cc7e69df0d561f6691a68411a904c978b7359a3bd737ab836 | ccard |
+------------------------------------------------------------------+-------+


I have also created a project (testproject1) in the testdomain1 domain ok:

# openstack project show testproject1     
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | bab626f8e76e44d4b85036425341eea4 |
| enabled     | True                             |
| id          | 890a5adb3df84a1584442b4685d57270 |
| name        | testproject1                     |
+-------------+----------------------------------+

# openstack domain show testdomain1  
+---------+----------------------------------+
| Field   | Value                            |
+---------+----------------------------------+
| enabled | True                             |
| id      | bab626f8e76e44d4b85036425341eea4 |
| name    | testdomain1                      |
+---------+----------------------------------+




But if I try to do "openstack role add --project testproject1 --user ccard _member_" I get the error message "ERROR: openstack The request you have made requires authentication. (HTTP 401)" and in /etc/keystone/keystone.log I see:

2015-02-24 15:05:11.534 32138 WARNING keystone.common.wsgi [-] Could not find role: _member_
2015-02-24 15:05:11.584 32138 WARNING keystone.common.wsgi [-] Could not find user: ccard
2015-02-24 15:05:11.604 32138 WARNING keystone.common.controller [-] No domain information specified as part of list request
2015-02-24 15:05:11.605 32138 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from *********
2015-02-24 15:05:11.802 32138 WARNING keystone.common.controller [-] No domain information specified as part of list request
2015-02-24 15:05:11.802 32138 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from *********


(I am running Juno, on CentOS 7)

Any ideas?

Chris

More information about the Openstack mailing list