keystone ldap identity backend will not work without TLS_CACERT path specified in an ldap.conf file

Bug #1274581 reported by Matt Fischer
36
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Annapoornima Koppad

Bug Description

I'm on Ubuntu 12.04 using havana 2013.2.1. What I've found is that the LDAP identity backend for keystone will not talk to my LDAP server (using ldaps) unless I have an ldap.conf that contains a TLS_CACERT line. This line duplicates the setting of tls_cacertfile in my keystone conf and therefore I don't see why it should be required. The rest of my /etc/ldap/ldap.conf file is default/commented out. When I don't have this line set I get a SERVER_DOWN error. I am using LDAP from a FreeIPA server if that matters.

Error message from the logs:
2014-01-30 16:24:17.168 21174 TRACE keystone.common.wsgi SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}

and from the CLI:
Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"} (HTTP 500)

Below are relevant sections of my configs:

/etc/ldap/ldap.conf:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

---------------------

keystone.conf:

[identity]
driver = keystone.identity.backends.ldap.Identity
...
[ldap]
url = ldaps://ldap.example.com:636
user = uid=mfischer,cn=users,cn=accounts,dc=example,dc=com
password = GoBroncos

...
use_tls = False
tls_cacertfile = /etc/ssl/certs/ca-certificates.crt
# tls_cacertdir =
tls_req_cert = demand

---------------------

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Low
Changed in keystone:
status: New → Confirmed
Dolph Mathews (dolph)
tags: added: low-hanging-fruit
Changed in keystone:
assignee: nobody → Emily Hugenbruch (ekhugen)
Changed in keystone:
assignee: Emily Hugenbruch (ekhugen) → nobody
Nikola Knezevic (kne)
Changed in keystone:
assignee: nobody → Nikola Knezevic (kne)
status: Confirmed → In Progress
Revision history for this message
Nikola Knezevic (kne) wrote :

@mfisch, I see in your config the following line:

use_tls = False

If that is the case, then TLS connection can't be established, because the config prevents one from connecting to the TLS-enabled server.

Ian Cordasco (icordasc)
Changed in keystone:
status: In Progress → Confirmed
assignee: Nikola Knezevic (kne) → nobody
Revision history for this message
Steve Martinelli (stevemar) wrote :

I can see that the LDAP config option:

  TLS_CACERT /etc/ssl/certs/ca-certificates.crt

property is duplicated in keystone.conf

  tls_cacertfile = /etc/ssl/certs/ca-certificates.crt

Though I'm not really sure how to fix this, can we reference the LDAP config options in keystone?

Changed in keystone:
assignee: nobody → Nithya Renganathan (narengan)
Revision history for this message
Sean Perry (sean-perry-a) wrote :

We could try and read /etc/ldap/ldap.conf if it exists and then read keystone.conf as a back up. But that could confuse admins. Maybe if the value of 'tls_cacertfile' is set to 'system' we parse the /etc/ldap/ldap.conf otherwise we use the file specifed by tls_cacertfile.

Thoughts?

Revision history for this message
Steve Martinelli (stevemar) wrote :

this sounds like it's best fixed through a doc, i doubt we should be making assumptions about various ldaps in our code

tags: added: documentation
Changed in keystone:
assignee: Nithya Renganathan (narengan) → nobody
tags: added: ldap-legacy
Revision history for this message
Marianne Linhares Monteiro (mariannelinharesm) wrote :

I want to fix this bug. This bug should be fixed through a doc? If so which documentation should I change?

Revision history for this message
Travis Truman (travis-truman) wrote :

@Marianne - The relevant doc to update is most likely http://docs.openstack.org/developer/keystone/configuration.html

guoshan (guoshan)
Changed in keystone:
assignee: nobody → guoshan (guoshan)
tags: added: ldap
Changed in keystone:
assignee: guoshan (guoshan) → Annapoornima Koppad (annakoppad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/379334

Changed in keystone:
status: Confirmed → In Progress
Changed in keystone:
milestone: none → ocata-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/379334
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ac04a51db218215988a54e248b1ac14bc557e1c6
Submitter: Jenkins
Branch: master

commit ac04a51db218215988a54e248b1ac14bc557e1c6
Author: Annapoornima Koppad <email address hidden>
Date: Thu Sep 29 15:27:34 2016 +0530

    Updating the document regarding LDAP options

    Closes-bug: #1274581

    Change-Id: I3e334b7290745f3e0cdaaf05b07e942929acff04

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b1

This issue was fixed in the openstack/keystone 11.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.