OpenStack-Ansible

python-ldap is missing from the keystone containers

Bug #1497669 reported by Kevin Carter on 2015-09-20

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack-Ansible	Fix Released	High	Kevin Carter	OpenStack-Ansible 12.0.0
Juno	Fix Released	High	Christopher H. Laco	OpenStack-Ansible 10.1.15
Kilo	Fix Released	High	Kevin Carter	OpenStack-Ansible 11.2.3
Trunk	Fix Released	High	Kevin Carter	OpenStack-Ansible 12.0.0

Bug Description

the pip package python-ldap is missing from the keystone containers which makes running keystone using ldap in impossible. While we can certainly install this package by hand the package should be added to the default pip package list.

Without this package present keystone starts up with the following error:

2015-09-20 03:27:02.064 2184 ERROR keystone.common.wsgi [-] No module named ldap
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi result = method(context, **params)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/controllers.py", line 101, in authenticate
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi context, auth)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/controllers.py", line 293, in _authenticate_local
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 341, in wrapper
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi self.driver, self.resource_api)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 242, in setup_domain_drivers
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi resource_api)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 172, in _setup_domain_drivers_from_files
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi -len(DOMAIN_CONF_FTAIL)])
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 136, in _load_config_from_file
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi domain_config['driver'] = self._load_driver(domain_config)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 94, in _load_driver
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi domain_config['cfg'].identity.driver, domain_config['cfg'])
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/oslo_utils/importutils.py", line 38, in import_object
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi return import_class(import_str)(*args, **kwargs)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/oslo_utils/importutils.py", line 27, in import_class
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi __import__(mod_str)
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 17, in <module>
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi import ldap
2015-09-20 03:27:02.064 2184 TRACE keystone.common.wsgi ImportError: No module named ldap

Fix:
pip install python-ldap

Effects:
* kilo
* master

Revision history for this message

Kevin Carter (kevin-carter) wrote on 2015-09-20:

Download full text (6.7 KiB)

To add to this issue, once the package `python-ldap` is installed keystone throws the following error:

To add to this issue, once the package `python-ldap` is installed keystone throws the following error:

==> /openstack/log/aio1_keystone_container-0465f2ad/keystone.log <==
2015-09-20 03:37:01.427 3155 ERROR keystone.common.wsgi [-] {'desc': "Can't contact LDAP server"}
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 238, in __call__
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     result = method(context, **params)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/token/controllers.py", line 101, in authenticate
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     context, auth)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/token/controllers.py", line 293, in _authenticate_local
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     username, CONF.identity.default_domain_id)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1040, in decorate
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     should_cache_fn)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 651, in get_or_create
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     async_creator) as value:
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in __enter__
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return self._enter()
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in _enter
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     generated = self._enter_create(createdtime)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in _enter_create
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     created = self.creator()
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 619, in gen_value
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     created_value = creator()
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1036, in creator
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return fn(*arg, **kw)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 773, in get_user_by_name
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     ref = driver.get_user_by_name(user_name, domain_id)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 87, in get_user_by_name
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return self.user.filter_attributes(self.user.get_by_name(user_name))
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1497, in get_by_name
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     res = self.get_all(query)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1869, in get_all
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return super(EnabledEmuMixIn, self).get_all(ldap_filter)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1505, in get_all
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     for x in self._ldap_get_all(ldap_filter)]
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1467, in _ldap_get_all
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     attrs)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 944, in search_s
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     attrlist_utf8, attrsonly)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 541, in search_s
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     attrlist, attrsonly)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 591, in search_s
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 584, in search_ext_s
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 580, in search_ext
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     timeout,sizelimit,
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi   File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi SERVER_DOWN: {'desc': "Can't contact LDAP server"}
2015-09-20 03:37:01.427 3155 TRACE keystone.common.wsgi

This is because the variable is defined in the default secrets file. To fix this additional stack trace the condition to load the ldap domains files from the keysotne.conf template should be updated to check that the variable is defined and that the loaded ldap dictionary has value.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-20: Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/225469

Changed in openstack-ansible:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-22: Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/225469
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=f32def0216b042aa31f4736e9e863cf2332dfbe7
Submitter: Jenkins
Branch: master

commit f32def0216b042aa31f4736e9e863cf2332dfbe7
Author: Kevin Carter <email address hidden>
Date: Sun Sep 20 00:02:46 2015 -0500

Fix for keystone LDAP pkg missing

    This change adds the python-ldap package to keystone by default and
    improves the conditional by which the ldap domain specific config
    drivers are loaded.

Change-Id: Idf85bb109654cbb46755928504d6a19c090a7514
Closes-bug: 1497669

Changed in openstack-ansible:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Fix proposed to openstack-ansible (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/226750

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Fix merged to openstack-ansible (juno)

Reviewed: https://review.openstack.org/226750
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=ecd5491d6b4170703451b5d1c66ee56c5e912b4a
Submitter: Jenkins
Branch: juno

commit ecd5491d6b4170703451b5d1c66ee56c5e912b4a
Author: Kevin Carter <email address hidden>
Date: Sun Sep 20 00:02:46 2015 -0500

Fix for keystone LDAP pkg missing

    This change adds the python-ldap package to keystone by default and
    improves the conditional by which the ldap domain specific config
    drivers are loaded.

    Conflicts:
      playbooks/roles/os_keystone/defaults/main.yml
      playbooks/roles/os_keystone/templates/keystone.conf.j2

    Change-Id: Idf85bb109654cbb46755928504d6a19c090a7514
    Closes-bug: 1497669
    (cherry picked from commit f32def0216b042aa31f4736e9e863cf2332dfbe7)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-25: Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/226740
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=64324c15b65c60fe2338b8c5e9c20b51662c7610
Submitter: Jenkins
Branch: kilo

commit 64324c15b65c60fe2338b8c5e9c20b51662c7610
Author: Kevin Carter <email address hidden>
Date: Sun Sep 20 00:02:46 2015 -0500

Fix for keystone LDAP pkg missing

    This change adds the python-ldap package to keystone by default and
    improves the conditional by which the ldap domain specific config
    drivers are loaded.

    Change-Id: Idf85bb109654cbb46755928504d6a19c090a7514
    Closes-bug: 1497669
    (cherry picked from commit f32def0216b042aa31f4736e9e863cf2332dfbe7)

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-05-03: Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.