I was able to recreate this using devstack:
keystone sha: fe20e5a9a73a2bc075af0990f285c9102c96d1b6 devstack sha: 98ab7d9646730f02983380648831aa2682abcc0c platform: ubuntu 16.04 container
$ cat local.conf [[local|localrc]] ADMIN_PASSWORD=password DATABASE_PASSWORD=password RABBIT_PASSWORD=password SERVICE_PASSWORD=$ADMIN_PASSWORD LDAP_PASSWORD=password KEYSTONE_CLEAR_LDAP=yes KEYSTONE_IDENTITY_BACKEND=ldap ENABLED_SERVICES=rabbit,tempest,mysql,etcd3,dstat,key,horizon,ldap LOGFILE=$DEST/logs/stack.sh.log LOGDAYS=2
This results in the following keystone.conf:
[identity] password_hash_rounds = 4 driver = ldap domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains
This is the contents of my domain specific configuration:
$ cat /etc/keystone/domains/keystone.Users.conf
[identity] driver = ldap
[ldap] group_id_attribute = cn group_name_attribute = cn group_objectclass = groupOfNames group_tree_dn = ou=Groups,dc=openstack,dc=org password = password suffix = dc=openstack,dc=org url = ldap://localhost user = cn=Manager,dc=openstack,dc=org user_id_attribute = uid user_mail_attribute = mail user_name_attribute = cn user_objectclass = inetOrgPerson user_tree_dn = ou=Users,dc=openstack,dc=org user_allow_create = False user_allow_update = False user_allow_delete = False group_allow_create = False group_allow_update = False group_allow_delete = False
When running stack.sh, you get the following error:
http://paste.openstack.org/show/618224/
2017-08-11 19:20:54.435 | CRITICAL keystone [None req-94d4890f-dbdd-4542-99b7-02af075de5d0 None None] Unhandled error: Forbidden: You are not authorized to perform the requested action. 2017-08-11 19:20:54.435 | ERROR keystone Traceback (most recent call last): 2017-08-11 19:20:54.435 | ERROR keystone File "/usr/local/bin/keystone-manage", line 10, in <module> 2017-08-11 19:20:54.435 | ERROR keystone sys.exit(main()) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/manage.py", line 45, in main 2017-08-11 19:20:54.435 | ERROR keystone cli.main(argv=sys.argv, config_files=config_files) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 1339, in main 2017-08-11 19:20:54.435 | ERROR keystone CONF.command.cmd_class.main() 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 383, in main 2017-08-11 19:20:54.435 | ERROR keystone klass.do_bootstrap() 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/cmd/cli.py", line 261, in do_bootstrap 2017-08-11 19:20:54.435 | ERROR keystone 'password': self.password 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/common/manager.py", line 110, in wrapped 2017-08-11 19:20:54.435 | ERROR keystone __ret_val = __f(*args, **kwargs) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 414, in wrapper 2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs) 2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 424, in wrapper 2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs) 2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/core.py", line 953, in create_user 2017-08-11 19:20:54.436 | ERROR keystone ref = driver.create_user(user['id'], user) 2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/backends/ldap/core.py", line 160, in create_user 2017-08-11 19:20:54.436 | ERROR keystone self._disallow_write() 2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/keystone/keystone/identity/backends/ldap/core.py", line 157, in _disallow_write 2017-08-11 19:20:54.436 | ERROR keystone raise exception.Forbidden(READ_ONLY_LDAP_ERROR_MESSAGE) 2017-08-11 19:20:54.436 | ERROR keystone Forbidden: You are not authorized to perform the requested action. 2017-08-11 19:20:54.436 | ERROR keystone
I was able to recreate this using devstack:
keystone sha: fe20e5a9a73a2bc 075af0990f285c9 102c96d1b6 2983380648831aa 2682abcc0c
devstack sha: 98ab7d9646730f0
platform: ubuntu 16.04 container
$ cat local.conf password PASSWORD= password PASSWORD= password PASSWORD= $ADMIN_ PASSWORD password CLEAR_LDAP= yes IDENTITY_ BACKEND= ldap SERVICES= rabbit, tempest, mysql,etcd3, dstat,key, horizon, ldap $DEST/logs/ stack.sh. log
[[local|localrc]]
ADMIN_PASSWORD=
DATABASE_
RABBIT_
SERVICE_
LDAP_PASSWORD=
KEYSTONE_
KEYSTONE_
ENABLED_
LOGFILE=
LOGDAYS=2
This results in the following keystone.conf:
[identity] hash_rounds = 4 specific_ drivers_ enabled = True domains
password_
driver = ldap
domain_
domain_config_dir = /etc/keystone/
This is the contents of my domain specific configuration:
$ cat /etc/keystone/ domains/ keystone. Users.conf
[identity]
driver = ldap
[ldap] attribute = cn dc=openstack, dc=org dc=openstack, dc=org dc=openstack, dc=org
group_id_attribute = cn
group_name_
group_objectclass = groupOfNames
group_tree_dn = ou=Groups,
password = password
suffix = dc=openstack,dc=org
url = ldap://localhost
user = cn=Manager,
user_id_attribute = uid
user_mail_attribute = mail
user_name_attribute = cn
user_objectclass = inetOrgPerson
user_tree_dn = ou=Users,
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False
When running stack.sh, you get the following error:
http:// paste.openstack .org/show/ 618224/
2017-08-11 19:20:54.435 | CRITICAL keystone [None req-94d4890f- dbdd-4542- 99b7-02af075de5 d0 None None] Unhandled error: Forbidden: You are not authorized to perform the requested action. bin/keystone- manage" , line 10, in <module> keystone/ keystone/ cmd/manage. py", line 45, in main argv=sys. argv, config_ files=config_ files) keystone/ keystone/ cmd/cli. py", line 1339, in main cmd_class. main() keystone/ keystone/ cmd/cli. py", line 383, in main bootstrap( ) keystone/ keystone/ cmd/cli. py", line 261, in do_bootstrap keystone/ keystone/ common/ manager. py", line 110, in wrapped keystone/ keystone/ identity/ core.py" , line 414, in wrapper keystone/ keystone/ identity/ core.py" , line 424, in wrapper keystone/ keystone/ identity/ core.py" , line 953, in create_user create_ user(user[ 'id'], user) keystone/ keystone/ identity/ backends/ ldap/core. py", line 160, in create_user write() keystone/ keystone/ identity/ backends/ ldap/core. py", line 157, in _disallow_write Forbidden( READ_ONLY_ LDAP_ERROR_ MESSAGE)
2017-08-11 19:20:54.435 | ERROR keystone Traceback (most recent call last):
2017-08-11 19:20:54.435 | ERROR keystone File "/usr/local/
2017-08-11 19:20:54.435 | ERROR keystone sys.exit(main())
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone cli.main(
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone CONF.command.
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone klass.do_
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone 'password': self.password
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone __ret_val = __f(*args, **kwargs)
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs)
2017-08-11 19:20:54.435 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.435 | ERROR keystone return f(self, *args, **kwargs)
2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.436 | ERROR keystone ref = driver.
2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.436 | ERROR keystone self._disallow_
2017-08-11 19:20:54.436 | ERROR keystone File "/opt/stack/
2017-08-11 19:20:54.436 | ERROR keystone raise exception.
2017-08-11 19:20:54.436 | ERROR keystone Forbidden: You are not authorized to perform the requested action.
2017-08-11 19:20:54.436 | ERROR keystone