OpenStack Identity (keystone)

domain ldap tls_cacertfile "forgotten" in multidomain configuration

Bug #1644862 reported by MikeyB
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Triaged
Low
Unassigned
Mitaka
Won't Fix
Undecided
Unassigned

Bug Description

Environment:
Centos 7 using the OpenStack Mitaka release

RPMS from:
http://mirror.centos.org/centos/7/cloud/$basearch/openstack-mitaka/

openstack-keystone-9.2.0-1.el7.noarch

—————

I have a multidomain configuration with multiple AD backends in keystone.

For one of the AD configurations I've configured a custom tls_cacertfile as follows:

«
[identity]
driver = ldap

[assignment]
driver = ldap

[ldap]
url = ldap://dc1.domain1.ca ldap://dc1.domain1.ca
use_tls = true

»

For the other:

«
[identity]
driver = ldap

[assignment]
driver = ldap

[ldap]
url = ldap://dc1.domain2.ca ldap://dc2.domain2.ca
query_scope = sub
use_tls = true
tls_cacertfile = /etc/keystone/domains/domain2-caroot.pem

»

What I've observed is when logging in to domain2 I will get very inconsistent behaviour:

* sometimes fails: "Unable to retrieve authorized projects."
* sometimes fails: "An error occurred authenticating. Please try again later."
* sometimes fails: "Unable to authenticate to any available projects."
* sometimes fails: "Invalid credentials."
* sometimes succeeds

Example traceback from keystone log:
«
2016-11-25 09:54:06.699 27879 INFO keystone.common.wsgi [req-c145506b-69fc-4fc2-9bad-76d77a79e3ca - - - - -] POST http://os-controller.lab.netdirect.ca:5000/v3/auth/tokens
2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi [req-c145506b-69fc-4fc2-9bad-76d77a79e3ca - - - - -] {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'}
2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi Traceback (most recent call last):

2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 224, in _create_connector
2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi raise BackendError(str(exc), backend=conn)
2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi BackendError: {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'}
»

I've also tried putting a merged tls_cacertfile containing the system default ca roots and the domain2-specific ca root. That felt like it improved but did not fix the problem.

The workaround is putting the merged cacertfile into BOTH domain configurations, which should not be necessary. After doing so I haven't had any trouble.

See original description
MikeyB (supermathie)
description: updated
Revision history for this message
Rambo (1rambo) wrote :

Add attachment or patch

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Are you able to recreate this using Newton or master?

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Looks like we could do a couple things here.

1.) Investigate which cert is getting used when. I wouldn't think this is an issue, but sanity checking the code to make sure the right driver is using the right cert might be a good first step.

2.) Document the workaround

Changed in keystone:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Mitaka is EOL

Revision history for this message
Craig Cerny (cerny01) wrote :

I encountered this bug in an OSP10/Netwon environment. I search for and found this bug, executed the work as described by MikeB and was able to overcome the failure.

Workaround:
"The workaround is putting the merged cacertfile into BOTH domain configurations, which should not be necessary. After doing so I haven't had any trouble."

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.