[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean.Boran at swisscom.com Sean.Boran at swisscom.com
Tue Aug 2 16:20:46 UTC 2016


Hi,

So I logged in as admin/default, then switched to the ldap domain(horizon/identity/domains/), added a role.
Next try to add a user to that role (/horizon/identity/users), but “Unable to retrieve user list”.

In /var/log/user.log I see

LDAP bind: who=cn=bind-user,dc=example,dc=net
<14>Aug  2 16:12:45 node-16 admin: 2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

If the ldap query “(&(objectClass=person)(cn=*))” is run through the CLI ldapsearch, it does return a long list of thousands of users.

Ah, just noticed /var/log/keystone/admin.log

2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi     result = func(*args,**kwargs)
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi SIZELIMIT_EXCEEDED: {'desc': 'Size limit exceeded'}

I wonder if there is a way for the UI to only fetch the first 100 users, or not to fetch any list, but just one by one?

Thanks,

Sean



On 02/08/16 17:46, "Alexander Makarov" <amakarov at mirantis.com> wrote:

Sean,

the problem may be in the following: in Mitaka release keystone requires 
user to have a role in the domain it's getting authZ'ing in. We ran into 
the problem when Horizon tried to authZ user in Default domain and got 
the same error.


On 02.08.2016 16:25, Sean.Boran at swisscom.com wrote:
> Hi,
>
> I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
> The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.
>
> What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
> On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)
>
> Problems when testing with horizon:
> - Login via ldap fails on authorization
> - If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
> This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)
>
> The /etc/keystone/domains/keystone.example.com is as follows.
>
> [ldap]
> user_enabled_attribute=userAccountControl
> query_scope=sub
> user_filter=
> group_allow_delete=False
> page_size=0
> use_tls=False
> password=NOT_HERE
> user_allow_update=False
> user_id_attribute=cn
> user_enabled_mask=2
> suffix= dc=example,dc=com
> user_enabled_default=512
> group_allow_update=False
> user_name_attribute=sAMAccountName
> chase_referrals=False
> group_allow_create=False
> user_allow_delete=False
>
> group_name_attribute=cn
> group_filter=
> group_member_attribute=member
> group_tree_dn=dc=example,dc=com
> group_objectclass = group
> group_desc_attribute=
> group_id_attribute=
>
> user_pass_attribute=userPassword
> user=cn=my-service-user
> user_allow_create=False
> user_tree_dn=dc=example,dc=com
> url=ldap://ldap.example.com
> user_objectclass=person
>
> [identity]
> driver=keystone.identity.backends.ldap.Identity
>
> Debugging for ldap was enabled to see the ldap bins/queries being sent out.
>
> Versions:
> keystone –version shows 2.3
> Mikata (with initial install done by Fuel).
>
> Resources consulted so far:
> http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
> http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
> Book: openstack production recipies.
> Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.
>
> Questions:
> - Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
> - Or tips on he above?
> - How can one assign users from LDAP to the _members_ or admin groups to get started?
>
> Thanks in advance,
>
> Sean
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





More information about the Openstack mailing list