OpenStack Compute (nova)

Ironic does not authenticate correctly when using Keystone v3 AD/LDAP domain

Bug #1600187 reported by midekra
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
New
Undecided
Unassigned

Bug Description

I was in discussion about a problem at: https://bugs.launchpad.net/nova/+bug/1580703
because i had similar symptoms. I have posted my initial error logs in that thread.

I found out that the OP solution worked in a plain (non-Active Directory/LDAP backend domain) Keystone v3 configuration (with v2 enabled endpoints). In our production environment, which runs Mitaka, I have configured Active Directory as a LDAP backend domain for Keystone. All our users, including the service accounts, are created in Active Directory.

Ironic doesn't handle this well. The rest of the services are working perfectly. Nova could not authenticate and left me with "Rejected requests" on the Ironic-Api.

If I create a "local" user in the default domain (e.g. a NOT in Active Directory) then Ironic can authenticate with Keystone without any problems.

Tags: ironic
midekra (midekra)
tags: added: ironic
Revision history for this message
Matt Riedemann (mriedem) wrote :

Does this fix your issue? https://review.openstack.org/#/c/300154/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.