[Openstack] Keystone LDAP auth KeyError: 'options'

Gregory Orange gregory.orange at pawsey.org.au
Thu Apr 20 06:47:24 UTC 2017 

I should have said: This is on OpenStack Ocata, deployed with Fuel.

On 20/4/17 2:41 pm, Gregory Orange wrote:
> We have configured Keystone for LDAP authentication via the domain_specific_drivers_enabled setting and a file keystone.<domain>.conf, and by tcpdump and LDAP server logs it appears to be working to some degree. That is, if the wrong credentials are entered, the response says so. However with the correct credentials, we get:
> 
> "An error occurred authenticating. Please try again later."
> 
> I'm not sure which of the numerous log entries to post (especially with various debug options enabled), but this seems relevant:
> 
> 2017-04-20T06:00:09.845090+00:00 node-60 keystone-public: 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi [req-12ca87a2-d790-4397-b703-7ff6ef11fcd1 - - - - -] 'options'
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi Traceback (most recent call last):
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in __call__
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi     result = method(req, **params)
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 132, in authenticate_for_token
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi     auth_context['user_id'], method_names_set):
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/core.py", line 377, in check_auth_methods_against_rules
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi     mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
> 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi KeyError: 'options'
> 
> I haven't had much luck tracing through those Python files - I can't even see how they relate to each other which suggests they are using function calls from includes and I haven't traced that deeply.
> 
> Can anyone help shed light on this?

More information about the Openstack mailing list