Openstack version: 2023.1
Deployment tool: kolla-ansible
OS: Ubuntu 22.04
Integrating keystone with LDAP for Centralized authentication.
# /etc/kolla/config/keystone/domains/keystone.eng.conf
# Ansible managed
[identity]
driver = ldap
domain_config_dir = /etc/keystone/domains
domain_specific_drivers_enabled = True
[assignment]
driver = sql
[ldap]
debug_level = 4095
group_allow_create = False
group_allow_delete = False
group_allow_update = False
group_id_attribute = cn
group_member_attribute = memberof
group_name_attribute = cn
group_objectclass = organizationalUnit
group_tree_dn = cn=groups,cn=compat,dc=example,dc=com
password = XXXXXXXXXXXXXXXXXX
project_allow_create = False
project_allow_delete = False
project_allow_update = False
role_allow_create = False
role_allow_delete = False
role_allow_update = False
suffix = dc=example,dc=com
tls_cacertfile = /etc/keystone/ssl/ipa-ldap.crt
tls_req_cert = allow
url = ldaps://ldap.example.com
use_dump_member = False
use_tls = False
user = uid=svc-openstack,cn=users,cn=accounts,dc=example,dc=com
user_allow_create = False
user_allow_delete = False
user_allow_update = False
user_enabled_attribute = userAccountControl
user_filter = (memberof=cn=openstack-eng,cn=groups,cn=accounts,dc=example,dc=com)
user_id_attribute = cn
user_mail_attribute = mail
user_name_attribute = uid
user_objectclass = person
user_pass_attribute = password
user_tree_dn = cn=users,cn=accounts,dc=example,dc=com
When I list all users from ldap domain I can see list of users in output
# openstack user list --domain eng
+------------------------------------------------------------------+----------------+
| ID | Name |
+------------------------------------------------------------------+----------------+
| 5941b66ab2dd5c288b9c43af63eac64802e7fcc13f93a39341d0972623dea482 | user1 |
| cbadc09bf614aae6cb02ec55a7c0339d23fb23862465006117574856f5a9ea25 | user2 |
| b2c2da99373ad98a4b266fdaba5773ad8284e53b6e6d6814d739a671c57036a1 | user3 |
| 76c268f25474aad5bad0035bec482ada7ceb94f82d8d46b4973091b120d1b925 | spatel |
| 018019fc1b632ea62a339bd6610ef3011dc95aaae01b0b7fa4f72d836c1a816f | user4 |
Same time I am seeing this error in keystone.log file. Thought I should report the errors.
2024-02-15 20:41:57.658 22 WARNING keystone.common.password_hashing [None req-01863ce5-e57b-41e9-80ec-e994166b9757 - - - - - -] Truncating password to algorithm specific maximum length 72 characters.
2024-02-15 20:42:03.209 25 WARNING keystone.common.rbac_enforcer.enforcer [None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application [None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] Could not find domain: eng.: keystone.exception.DomainNotFound: Could not find domain: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback (most recent call last):
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py", line 712, in get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application project = self.driver.get_project(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py", line 49, in get_project
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._get_project(session, project_id).to_dict()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py", line 44, in _get_project
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise exception.ProjectNotFound(project_id=project_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application keystone.exception.ProjectNotFound: Could not find project: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application During handling of the above exception, another exception occurred:
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback (most recent call last):
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application rv = self.dispatch_request()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp = resource(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/views.py", line 107, in view
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return current_app.ensure_sync(self.dispatch_request)(**kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp = meth(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 89, in get
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._get_domain(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 97, in _get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application domain = PROVIDERS.resource_api.get_domain(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/manager.py", line 115, in wrapped
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application __ret_val = __f(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return caller(func, *(extras + args), **kw)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 1577, in get_or_create_for_user_func
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.get_or_create(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 1042, in get_or_create
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application with Lock(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 185, in __enter__
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._enter()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 94, in _enter
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application generated = self._enter_create(value, createdtime)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 178, in _enter_create
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.creator()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 995, in gen_value
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application created_value = creator(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py", line 718, in get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise exception.DomainNotFound(domain_id=domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application keystone.exception.DomainNotFound: Could not find domain: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:08.030 23 WARNING py.warnings [None req-1d1b3838-65b0-4620-8554-eae9b43bd2d8 f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] /var/lib/kolla/venv/lib/python3.10/site-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_domains": "role:reader and system_scope:all" failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
warnings.warn(msg)
Can you please share environment variables or clouds.yaml used in the client ?
Also, I'm not much familiar with kolla, but can you check access log in keystone ?
My rough guess is that the client attempts to search domain by id "eng" which fails with 404 and then it attempts to search domain by NAME "eng". If that's true then the error may be a kind of expected one, though probably we should consider suppressing it somehow.