When using the LDAP backend and connecting to Active Directory, trying to use the root DN (dc=example,dc=com) as the user_tree_dn (or tenant/role_tree_dn) fails with "Authorization Failed: Unable to communicate with identity service: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1', 'desc': 'Operations error'}", "code": 500, "title": "Internal Server Error"}}. (HTTP 500)".
This is because python-ldap chases all referrals with anonymous access, which is disabled by default in AD for security reasons. Adding a line in core.py under ldap.initialize to not chase referrals (self.conn.set_option(ldap.OPT_REFERRALS, 0)) gets around this error, but then we get "AttributeError: 'list' object has no attribute 'iteritems'" in search_s. This is because while the referrals aren't chased, they still show up in the results list. The keystone code can't seem to handle the format the referrals come in. I was able to work around this by adding an if statement before o.append to ignore the referral results (if type(dn) is not NoneType). I also added "from types import *" in the beginning of core.py.
I'm sure this isn't the best workaround for everybody, but in general I think there should be an option in keystone.conf to enable or disable chasing of referrals. If it is disabled, then the previous ldap option should be set and something should be done to remove the referrals from the results list.
Edit: I'm using the Grizzly packages from the Ubuntu Cloud Archive on Ubuntu 12.04.
We've observed this same behavior.
You can turn off chasing referrals in /etc/openldap/
REFERRALS off
However, you still need to add the
if dn is not None:
line.
Does it make more sense to configure the referral chasing in OpenStack or to leave it to the configuration of the underlying openldap client configuration?