Ironic does not authenticate correctly when using Keystone v3 AD/LDAP domain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
New
|
Undecided
|
Unassigned |
Bug Description
I was in discussion about a problem at: https:/
because i had similar symptoms. I have posted my initial error logs in that thread.
I found out that the OP solution worked in a plain (non-Active Directory/LDAP backend domain) Keystone v3 configuration (with v2 enabled endpoints). In our production environment, which runs Mitaka, I have configured Active Directory as a LDAP backend domain for Keystone. All our users, including the service accounts, are created in Active Directory.
Ironic doesn't handle this well. The rest of the services are working perfectly. Nova could not authenticate and left me with "Rejected requests" on the Ironic-Api.
If I create a "local" user in the default domain (e.g. a NOT in Active Directory) then Ironic can authenticate with Keystone without any problems.
Does this fix your issue? https:/ /review. openstack. org/#/c/ 300154/