Heat does not work when using LDAP as identity backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
High
|
Kevin Carter | ||
Juno |
Fix Released
|
High
|
Miguel Grinberg | ||
Kilo |
Fix Released
|
High
|
Kevin Carter | ||
Trunk |
Fix Released
|
High
|
Kevin Carter |
Bug Description
Creating simple heat stacks while using LDAP as identity backend, result in stacks stuck in CREATE_IN_PROGRESS state.
After debugging the issue, I found out that it is directly related to the missing multi domain support in LDAP and having the heat stack owner user assigned to the heat domain.
Request :
curl -v -X POST -H "Content-Type: application/json" -H "Accept: application/json" -k https:/
Response :
{"error": {"message": "Could not find domain: ab45d7f57729443
I did only configure LDAP as identity back end, assignments are still inside the DB using the SQL driver.
A v3 user show responds with the following settings :
# openstack user show heat-stack-adm
+------
| Field | Value |
+------
| domain_id | default |
| enabled | True |
| id | heat-stack-adm |
| links | {u'self': u'https:/
| name | heat-stack-adm |
+------
Since I see the correct domain (stack_
Is there any other way we can get heat working ?
description: | updated |
description: | updated |
description: | updated |
Current LDAP config in keystone :
driver = keystone. identity. backends. ldap.Identity
[assignment] assignment. backends. sql.Assignment
driver = keystone.
caching = true
[ldap] /ldap.example. com svc,OU= Service Accounts, DC=example, DC=com 54635654534645 DC=corp, DC=example, DC=com dc=nonexistent delete = false DC=corp, DC=example, DC=com attribute = userAccountControl default = 512 ignore = password, tenantId, tenants project_ id_attribute = emulation = false emulation_ dn = _attribute_ mapping = attribute = ou attribute = member attribute = description _ignore = l_attribute_ mapping =
url = ldaps:/
user = CN=ldap-
password = 342456565464564
suffix = OU=Accounts,
use_dumb_member = false
dumb_member = cn=dumb,
allow_subtree_
query_scope = sub
page_size = 2000
debug_level = 4095
chase_referrals = True
user_tree_dn = OU=Accounts,
user_filter =
user_objectclass = person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_
user_enabled_mask = 2
user_enabled_
user_attribute_
user_default_
user_allow_create = False
user_allow_update = False
user_allow_delete = False
user_enabled_
user_enabled_
user_additional
group_tree_dn =
group_filter =
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_
group_member_
group_desc_
group_attribute
group_allow_create = true
group_allow_update = true
group_allow_delete = true
group_additiona
tls_cacertfile =
tls_cacertdir =
use_tls = false
tls_req_cert = allow