OpenStack Identity (keystone)

Keystone with LDAP/AD backend problem

Bug #1234319 reported by Stephane Boisvert
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Undecided
Adam Young

Bug Description

When connecting to a windows Active Directory server and having many DC in AD domain Keystone seems to make a DNS request on domain.org and DomainDnsZones.domain.org then choose a random DC and bind to it.. then do the search on another server. It seems user-list does that.. but not role-list or tenant-list.

Here is the error from the keystone.log

2013-10-02 17:35:09 DEBUG [keystone.common.ldap.core] LDAP search: dn=dc=gameloft,dc=org, scope=2, query=(&(|(memberOf=CN=cloud-users,OU=cloud,OU=apps,DC=gameloft,DC=org)(memberOf=CN=cloud-services,OU=cloud,OU=APPS,DC=domain,DC=org) )(objectClass=organizationalPerson)), attrs=['businessCategory', '', 'userAccountControl', 'mail', 'userPrincipalName']
2013-10-02 17:35:10 ERROR [root] {'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'}
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 265, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 178, in get_users
    user_list = self.identity_api.list_users(context)
  File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap/core.py", line 147, in list_users
    return self._set_default_domain(self.user.get_all())
  File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 571, in get_all
    return super(EnabledEmuMixIn, self).get_all(filter)
  File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 309, in get_all
    for x in self._ldap_get_all(filter)]
  File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 287, in _ldap_get_all
    self.attribute_mapping.values())
  File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 400, in search_s
    res = self.conn.search_s(dn, scope, query, attrlist)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 502, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 496, in search_ext_s
    return self.result(msgid,all=1,timeout=timeout)[1]
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'}

----

keystone config

[ldap]
url = ldap://mydc.mydomain.org:389

user = cn=cloud apps,ou=special accounts,ou=MDC,dc=domain,dc=org
password = <some password>
suffix = DC=domain,DC=org
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com

also I found that it seems to have a recursion bug in python-ldap.. If found that bug request

https://projects.xivo.fr/issues/3795

Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.