[Rdo-list] ldap/AD Integration on RDO - Icehouse

Erimer, Tarkan tarkan.erimer at f-secure.com
Wed Jun 18 11:15:45 UTC 2014


Hi,

I was trying to integrate our test RDO - Icehouse openstack environment
into the AD (Active Directory) in order to pilot user management through
the AD. I've read official documentations regarding the topic :

http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html
https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD#Configuration_on_Keystone
http://openstack.redhat.com/Keystone_integration_with_IDM

All the above docs only explain just the keystone part. But, there is no
doc how exactly the AD side should be configured. Even, searching on
google didn't return anything useful. 
Anyway, I've managed to come to a point where having the following error
in keystone.log :

2014-06-18 10:52:55.096 1706 INFO eventlet.wsgi.server [-] (1706) wsgi
starting up on http://0.0.0.0:35357/
2014-06-18 10:52:55.096 1706 INFO eventlet.wsgi.server [-] (1706) wsgi
starting up on http://0.0.0.0:5000/
2014-06-18 10:56:35.024 1706 DEBUG keystone.middleware.core [-] Auth
token not in the request header. Will not build auth context.
process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:271
2014-06-18 10:56:35.063 1706 DEBUG keystone.common.wsgi [-] arg_dict: {}
__call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-06-18 10:56:35.065 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.066 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.069 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.076 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(sAMAccountName=nova)(objectClass=Person)),
attrs=['userPassword', 'userAccountControl', 'sAMAccountName', 'mail']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.079 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.081 1706 DEBUG keystone.notifications [-] CADF
Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
'initiator': {'typeURI': 'service/security/account/user', 'host':
{'agent': 'python-requests/1.1.0 CPython/2.6.6
Linux/2.6.32-431.17.1.el6.x86_64', 'address': '1.x.x.x'}, 'id':
'openstack:3b761d61-1f9c-463c-adc4-cf83a8873aaa', 'name': 'nova'},
'target': {'typeURI': 'service/security/account/user', 'id':
'openstack:b588a4a4-4537-4a3c-a56e-68d7518bbf69'}, 'observer':
{'typeURI': 'service/security', 'id':
'openstack:35c9ba06-17b0-482f-b86a-c7407b698fe2'}, 'eventType':
'activity', 'eventTime': '2014-06-18T10:56:35.080881+0000', 'action':
'authenticate', 'outcome': 'pending', 'id':
'openstack:d4b86103-3dc9-4577-a9c4-74fc2cc4152c'}
_send_audit_notification /usr/lib/python2.6/site-packages/keystone/notifications.py:289
2014-06-18 10:56:35.136 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('qpid =
oslo.messaging._drivers.impl_qpid:QpidDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.136 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('zmq =
oslo.messaging._drivers.impl_zmq:ZmqDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.136 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('kombu =
oslo.messaging._drivers.impl_rabbit:RabbitDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.137 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('rabbit =
oslo.messaging._drivers.impl_rabbit:RabbitDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.194 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('fake =
oslo.messaging._drivers.impl_fake:FakeDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.195 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('log =
oslo.messaging.notify._impl_log:LogDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.195 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('messagingv2 =
oslo.messaging.notify._impl_messaging:MessagingV2Driver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.195 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('noop =
oslo.messaging.notify._impl_noop:NoOpDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('routing =
oslo.messaging.notify._impl_routing:RoutingDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('test =
oslo.messaging.notify._impl_test:TestDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('messaging =
oslo.messaging.notify._impl_messaging:MessagingDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found
extension
EntryPoint.parse('cinder.openstack.common.notifier.no_op_notifier =
oslo.messaging.notify._impl_noop:NoOpDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.196 1706 DEBUG stevedore.extension [-] found
extension
EntryPoint.parse('cinder.openstack.common.notifier.log_notifier =
oslo.messaging.notify._impl_log:LogDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found
extension
EntryPoint.parse('cinder.openstack.common.notifier.test_notifier =
oslo.messaging.notify._impl_test:TestDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found
extension
EntryPoint.parse('cinder.openstack.common.notifier.rpc_notifier2 =
oslo.messaging.notify._impl_messaging:MessagingV2Driver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found
extension
EntryPoint.parse('cinder.openstack.common.notifier.rpc_notifier =
oslo.messaging.notify._impl_messaging:MessagingDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found
extension
EntryPoint.parse('nova.openstack.common.notifier.no_op_notifier =
oslo.messaging.notify._impl_noop:NoOpDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('nova.openstack.common.notifier.test_notifier
= oslo.messaging.notify._impl_test:TestDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.197 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('nova.openstack.common.notifier.rpc_notifier
= oslo.messaging.notify._impl_messaging:MessagingDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.198 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('nova.openstack.common.notifier.log_notifier
= oslo.messaging.notify._impl_log:LogDriver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.198 1706 DEBUG stevedore.extension [-] found
extension EntryPoint.parse('nova.openstack.common.notifier.rpc_notifier2
= oslo.messaging.notify._impl_messaging:MessagingV2Driver')
_load_plugins /usr/lib/python2.6/site-packages/stevedore/extension.py:156
2014-06-18 10:56:35.199 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.200 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.200 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.205 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(cn=nova)(objectClass=Person)), attrs=['mail', 'userPassword',
'userAccountControl', 'sAMAccountName']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.207 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.208 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.209 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.210 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.215 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(cn=nova)(objectclass=Person)), attrs=None
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.218 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.218 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.219 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.220 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind:
dn=CN=nova,OU=services,OU=Projects,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.224 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.226 1706 DEBUG keystone.notifications [-] CADF
Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
'initiator': {'typeURI': 'service/security/account/user', 'host':
{'agent': 'python-requests/1.1.0 CPython/2.6.6
Linux/2.6.32-431.17.1.el6.x86_64', 'address': '1.x.x.x'}, 'id':
'openstack:3b761d61-1f9c-463c-adc4-cf83a8873aaa', 'name': 'nova'},
'target': {'typeURI': 'service/security/account/user', 'id':
'openstack:12c5c400-0a51-4477-baf4-b95c91ba60ad'}, 'observer':
{'typeURI': 'service/security', 'id':
'openstack:d12b322f-9c1a-493f-ac0d-6727d37cff39'}, 'eventType':
'activity', 'eventTime': '2014-06-18T10:56:35.225896+0000', 'action':
'authenticate', 'outcome': 'success', 'id':
'openstack:aa435cf2-6fd2-4cce-a40e-53753cab55bf'}
_send_audit_notification /usr/lib/python2.6/site-packages/keystone/notifications.py:289
2014-06-18 10:56:35.227 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.228 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.229 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.234 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(ou=services)(objectClass=organizationalUnit)),
attrs=['description', 'extensionName', 'businessCategory', 'ou']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.237 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.237 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.238 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.238 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.243 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['ou',
'description', 'businessCategory', 'extensionName']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.246 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.246 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.247 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.247 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.251 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['ou',
'description', 'businessCategory', 'extensionName']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.254 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.254 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.255 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.256 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.261 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(ou=services)(objectClass=organizationalUnit)), attrs=['ou',
'description', 'businessCategory', 'extensionName']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.263 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.264 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.265 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.266 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.270 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(ou=services)(objectclass=organizationalUnit)), attrs=None
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.273 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.273 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.274 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.274 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.278 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=services,OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local,
scope=1, query=(objectClass=organizationalRole), attrs=None
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.281 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.282 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.283 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.284 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.289 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(cn=nova)(objectClass=Person)), attrs=['mail', 'userPassword',
'userAccountControl', 'sAMAccountName']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.291 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.292 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.292 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.293 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.297 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(cn=nova)(objectclass=Person)), attrs=None
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.300 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.300 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.302 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.303 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:35.307 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=ou=UserGroups,dc=test,dc=local, scope=2,
query=(&(&(objectClass=groupOfNames)(member=CN=nova,OU=services,OU=Projects,OU=iaas,OU=Other,DC=test,DC=local))(objectClass=groupOfNames)), attrs=['description', 'ou'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:35.310 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:35.336 1706 DEBUG
keystone.openstack.common.db.sqlalchemy.session [-] MySQL server mode
set to
STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER _mysql_check_effective_sql_mode /usr/lib/python2.6/site-packages/keystone/openstack/common/db/sqlalchemy/session.py:562
2014-06-18 10:56:35.384 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: url=ldap://1.x.x.x
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:491
2014-06-18 10:56:35.385 1706 DEBUG keystone.common.ldap.core [-] LDAP
init: use_tls=False
tls_cacertfile=None
tls_cacertdir=None
tls_req_cert=2
tls_avail=1
__init__ /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:501
2014-06-18 10:56:35.386 1706 DEBUG keystone.common.ldap.core [-] LDAP
bind: dn=CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
simple_bind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:561
2014-06-18 10:56:36.391 1706 DEBUG keystone.common.ldap.core [-] LDAP
search: dn=OU=Roles,OU=iaas,OU=Other,DC=test,DC=local, scope=2,
query=(&(cn=services)(objectClass=organizationalRole)), attrs=['cn']
search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:592
2014-06-18 10:56:36.393 1706 DEBUG keystone.common.ldap.core [-] LDAP
unbind
unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:565
2014-06-18 10:56:36.471 1706 INFO eventlet.wsgi.server [-] 1.x.x.x - -
[18/Jun/2014 10:56:36] "POST /v2.0/tokens HTTP/1.1" 200 8938 1.447416
2014-06-18 10:56:36.520 1706 DEBUG keystone.middleware.core [-] RBAC:
auth_context: {'project_id': u'services', 'user_id': u'nova', 'roles':
[u'services']}
process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:281
2014-06-18 10:56:36.523 1706 DEBUG keystone.common.wsgi [-] arg_dict:
{'token_id': u'4dd244aee826e0ea0f1a27e7a9d42885'}
__call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-06-18 10:56:36.525 1706 DEBUG keystone.common.controller [-] RBAC:
Authorizing
identity:validate_token(token_id=4dd244aee826e0ea0f1a27e7a9d42885)
_build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:54
2014-06-18 10:56:36.526 1706 DEBUG keystone.common.controller [-] RBAC:
using auth context from the request environment
_build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:59
2014-06-18 10:56:36.527 1706 DEBUG keystone.policy.backends.rules [-]
enforce identity:validate_token: {'project_id': u'services', 'user_id':
u'nova', 'roles': [u'services']}
enforce /usr/lib/python2.6/site-packages/keystone/policy/backends/rules.py:101
2014-06-18 10:56:36.536 1706 DEBUG keystone.openstack.common.policy [-]
Rule identity:validate_token will be now enforced
enforce /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:258
2014-06-18 10:56:36.537 1706 DEBUG keystone.openstack.common.fileutils
[-] Reloading cached file /etc/keystone/policy.json
read_cached_file /usr/lib/python2.6/site-packages/keystone/openstack/common/fileutils.py:63
2014-06-18 10:56:36.545 1706 DEBUG keystone.openstack.common.policy [-]
Rules successfully reloaded
load_rules /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:212
2014-06-18 10:56:36.546 1706 WARNING keystone.common.wsgi [-] You are
not authorized to perform the requested action, identity:validate_token.
2014-06-18 10:56:36.548 1706 INFO eventlet.wsgi.server [-] 1.x.x.x - -
[18/Jun/2014 10:56:36]
"GET /v2.0/tokens/4dd244aee826e0ea0f1a27e7a9d42885 HTTP/1.1" 403 277
0.037631
2014-06-18 10:56:36.560 1706 DEBUG keystone.middleware.core [-] RBAC:
auth_context: {'project_id': u'services', 'user_id': u'nova', 'roles':
[u'services']}
process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:281
2014-06-18 10:56:36.563 1706 DEBUG keystone.common.wsgi [-] arg_dict:
{'token_id': u'4dd244aee826e0ea0f1a27e7a9d42885'}
__call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-06-18 10:56:36.563 1706 DEBUG keystone.common.controller [-] RBAC:
Authorizing
identity:validate_token(token_id=4dd244aee826e0ea0f1a27e7a9d42885)
_build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:54
2014-06-18 10:56:36.564 1706 DEBUG keystone.common.controller [-] RBAC:
using auth context from the request environment
_build_policy_check_credentials /usr/lib/python2.6/site-packages/keystone/common/controller.py:59
2014-06-18 10:56:36.564 1706 DEBUG keystone.policy.backends.rules [-]
enforce identity:validate_token: {'project_id': u'services', 'user_id':
u'nova', 'roles': [u'services']}
enforce /usr/lib/python2.6/site-packages/keystone/policy/backends/rules.py:101
2014-06-18 10:56:36.565 1706 DEBUG keystone.openstack.common.policy [-]
Rule identity:validate_token will be now enforced
enforce /usr/lib/python2.6/site-packages/keystone/openstack/common/policy.py:258
2014-06-18 10:56:36.565 1706 WARNING keystone.common.wsgi [-] You are
not authorized to perform the requested action, identity:validate_token.
2014-06-18 10:56:36.566 1706 INFO eventlet.wsgi.server [-] 1.x.x.x - -
[18/Jun/2014 10:56:36]
"GET /v2.0/tokens/4dd244aee826e0ea0f1a27e7a9d42885 HTTP/1.1" 403 277
0.014182

Thus, not letting me in on the WebUI.

My keystone.conf ldap configuration is :

driver = keystone.identity.backends.ldap.Identity

[ldap]
query_scope = sub
url = ldap://1.x.x.x
user = CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local
password = XXXXX
suffix = dc=test,dc=local
use_dumb_member = True
dumb_member = CN=openstack-user,OU=iaas,OU=Other,DC=test,DC=local

user_tree_dn = OU=iaas,OU=Other,DC=test,DC=local
#user_objectclass = organizationalPerson
user_objectclass = Person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True

tenant_tree_dn = OU=Tenants,OU=iaas,OU=Other,DC=test,DC=local
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = OU=Roles,OU=iaas,OU=Other,DC=test,DC=local
#role_tree_dn =
CN=admin,OU=Services,OU=Roles,OU=iaas,OU=Other,DC=test,DC=local
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True


Any pointers ?


Tarkan





More information about the dev mailing list