OpenStack Identity (keystone)

External LDAP integration overrides Keystone Version

Bug #1681551 reported by Fatih Nar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

After enabling LDAP there is a new local (Non LDAP/AD) domain created called admin_domain where there is a new admin user created. The old admin user in the “default” local openstack domain no longer exists.
As a result attempting to use v2 authentication (instead of v3), using what is in the keystone v2 rc file you can download through horizon, no longer works because the rc file specifies that old user in “default” local openstack domain.

Tags: ldap
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Fatih,

Do you have a link to a guide or document that you used to setup the environment? If not, can you provide steps to recreate, specifically how you integrated LDAP with keystone?

tags: added: ldap
Revision history for this message
Kristi Nikolla (knikolla) wrote :

You cannot authenticate to two domains using the V2.0 API, since it doesn't have the concept of a domain and will only look in the domain you have specified as the default one. Therefore if your admin user is not in the default domain, you will have to use the V3 API to authenticate.

You can easily convert the v2.0 file that Horizon gives you to a V3. Please see [0] for an easy script.

0. http://adam.younglogic.com/2016/03/v3fromv2/

Revision history for this message
Lance Bragstad (lbragstad) wrote :

I'm curious if the guide you followed was provided by keystone somewhere. If so, we should document the behavior or fix the documentation because Kristi is right. If the admin user is in a domain that is not the default domain specified in configuration [0], then you'll either need to use v3 to authenticate (since v3 understand multiple domains), or switch the default domain in configuration.

[0] https://github.com/openstack/keystone/blob/e5edf3fc2823cdfc079efac0026e8f970c212677/keystone/conf/identity.py#L19-L30

Lance Bragstad (lbragstad)
Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.