** Changed in: keystone/icehouse
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1281216
Title:
Keystone Havana Authentication Error using samAccountName in Active
Directory
Status in OpenStack Identity (Keystone):
Fix Committed
Status in Keystone icehouse series:
Fix Released
Bug description:
When using Active Directory as the LDAP backend for Keystone, if I use
the cn attribute for user_id_attribute and user_name_attribute,
authentication works fine. However, if I try to use samAccountName,
authentication fails. For example, keystone user-list returns the
following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. 'name' (HTTP 500)
and the login screen in Horizon shows: An error occurred
authenticating. Please try again later.
Also, the following trace is shown in the keystone.log:
2014-02-17 06:48:37.472 8207 ERROR keystone.common.wsgi [-] 'name'
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi Traceback (most
recent call last):
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in
__call__
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi result =
method(context, **params)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 127, in
authenticate
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi auth_token_data,
roles_ref=roles_ref, catalog_ref=catalog_ref)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 44, in
_wrapper
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi return f(*args,
**kw)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 362,
in issue_v2_token
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi token_ref,
roles_ref, catalog_ref)
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi File
"/usr/lib/python2.7/dist-packages/keystone/token/providers/uuid.py", line 57,
in format_token
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi 'name':
user_ref['name'],
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi KeyError: 'name'
2014-02-17 06:48:37.472 8207 TRACE keystone.common.wsgi
2014-02-17 06:48:37.474 8207 INFO access [-] 192.168.1.128 - -
[17/Feb/2014:11:48:37 +0000] "POST http://192.168.1.128:35357/v2.0/tokens
HTTP/1.0" 500 150
It appears that the user_ref has no 'name' property when I try to use
samAccountName. This seems to have worked in Grizzly but does not
work in Havana. Below are the applicable lines from the
keystone.conf:
[ldap]
query_scope = sub
url = LDAP://192.168.1.253
user = CN=ldapuser,CN=Users,DC=mydomain,DC=net
password = ldapuserpassword
suffix = DC=mydomain,DC=net
use_dumb_member = True
dumb_member = CN=ldapuser,CN=Users,DC=mydomain,DC=net
user_tree_dn = CN=Users,DC=mydomain,DC=net
user_objectclass = organizationalPerson
user_id_attribute = samAccountName
user_name_attribute = samAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_tree_dn = OU=Projects,OU=OpenStack,DC=mydomain,DC=net
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
role_tree_dn = OU=Roles,OU=OpenStack,DC=mydomain,DC=net
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True
Again, if I change the user_id_attribute and the user_name_attribute
to cn then everything works fine. Please advise. Thanks!
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1281216/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
