OpenStack-Ansible

Heat does not work when using LDAP as identity backend

Bug #1447768 reported by Bjoern
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Kevin Carter
Juno
Fix Released
High
Miguel Grinberg
OpenStack-Ansible 10.1.5
Kilo
Fix Released
High
Kevin Carter
OpenStack-Ansible 11.0.0
Trunk
Fix Released
High
Kevin Carter

Bug Description

Creating simple heat stacks while using LDAP as identity backend, result in stacks stuck in CREATE_IN_PROGRESS state.
After debugging the issue, I found out that it is directly related to the missing multi domain support in LDAP and having the heat stack owner user assigned to the heat domain.

Request :

curl -v -X POST -H "Content-Type: application/json" -H "Accept: application/json" -k https://xxxxx:5000/v3/auth/tokens -d '{"auth": {"scope": {"domain": {"id": "ab45d7f57729443c89c23ca0e71d404b"}}, "identity": {"password": {"user": {"domain": {"id": "ab45d7f57729443c89c23ca0e71d404b"}, "password": "xxxxx", "name": "heat-stack-adm"}}, "methods": ["password"]}}}'

Response :

{"error": {"message": "Could not find domain: ab45d7f57729443c89c23ca0e71d404b", "code": 404, "title": "Not Found"}

I did only configure LDAP as identity back end, assignments are still inside the DB using the SQL driver.

A v3 user show responds with the following settings :

# openstack user show heat-stack-adm
+-----------+------------------------------------------------------------------------------+
| Field | Value |
+-----------+------------------------------------------------------------------------------+
| domain_id | default |
| enabled | True |
| id | heat-stack-adm |
| links | {u'self': u'https://xxxxx:5000/v3/users/heat-stack-adm'} |
| name | heat-stack-adm |
+-----------+------------------------------------------------------------------------------+

Since I see the correct domain (stack_user_domain_id) inside the assignments and domain table, I assume that the returned domain id for this user is causing this issue. It's supposed to be the heat domain. LDAP does not support multi domain, so I'm not surprised that default is being returned.
Is there any other way we can get heat working ?

See original description
Revision history for this message
Bjoern (bjoern-t) wrote :

Current LDAP config in keystone :

driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment
caching = true

[ldap]
url = ldaps://ldap.example.com
user = CN=ldap-svc,OU=Service Accounts,DC=example,DC=com
password = 34245656546456454635654534645
suffix = OU=Accounts,DC=corp,DC=example,DC=com
use_dumb_member = false
dumb_member = cn=dumb,dc=nonexistent
allow_subtree_delete = false
query_scope = sub
page_size = 2000
debug_level = 4095
chase_referrals = True
user_tree_dn = OU=Accounts,DC=corp,DC=example,DC=com
user_filter =
user_objectclass = person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenantId,tenants
user_default_project_id_attribute =
user_allow_create = False
user_allow_update = False
user_allow_delete = False
user_enabled_emulation = false
user_enabled_emulation_dn =
user_additional_attribute_mapping =
group_tree_dn =
group_filter =
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = ou
group_member_attribute = member
group_desc_attribute = description
group_attribute_ignore =
group_allow_create = true
group_allow_update = true
group_allow_delete = true
group_additional_attribute_mapping =
tls_cacertfile =
tls_cacertdir =
use_tls = false
tls_req_cert = allow

Bjoern (bjoern-t)
description: updated
description: updated
description: updated
Revision history for this message
Bjoern (bjoern-t) wrote :

As a result of a #openstack-keystone meeting, I'm going to validate this issue against a new config :

Configure keystone to use domain-specific identity backends in keystone.conf:

  [identity]
  domain_specific_drivers_enabled = True
  domain_config_dir = /etc/keystone/domains

Configure the default identity driver in keystone.conf to be SQL:

  [identity]
  driver = keystone.identity.backends.sql.Identity

Then move the entire [ldap] section of keystone.conf into a new file:

  /etc/keystone/domains/keystone.Default.conf

Revision history for this message
Bjoern (bjoern-t) wrote :

I did small tests using the Default domain as a multi domain (as proposed above) and it seem to work. I did not find any issues with this configuration. So at this point it would be beneficial once the keystone_ldap parameter is set that we

configure inside the keystone.conf

[identity]
  domain_specific_drivers_enabled = True
  domain_config_dir = /etc/keystone/domains

and add an additional file /etc/keystone/domains/keystone.Default.conf containing all [ldap] section configs we had put into the keystone.conf before

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/178310

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/178320

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/178320
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=d58e02608054b0bc0ccb243159ff728b758dde23
Submitter: Jenkins
Branch: kilo

commit d58e02608054b0bc0ccb243159ff728b758dde23
Author: Kevin Carter <email address hidden>
Date: Tue Apr 28 12:53:45 2015 -0500

    Updated ldap config to support multi domain

    Enables default domain support using ldap. This change moves the
    ldap config to the default domain and enables domain specific
    drivers.

    Change-Id: I85f6610a25617fdea1fc216b53df0ab30260fed9
    Cloes-Bug: 1447768
    (cherry picked from commit b6476c652a0960c8b94843233327537988e6bb87)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/178893

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (juno)

Reviewed: https://review.openstack.org/178893
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=79bce052d778ebaf10167925519ac2b154f5462c
Submitter: Jenkins
Branch: juno

commit 79bce052d778ebaf10167925519ac2b154f5462c
Author: Miguel Grinberg <email address hidden>
Date: Wed Apr 29 18:23:57 2015 -0700

    Updated ldap config to support multi domain

    Enables default domain support using ldap. This change moves the
    ldap config to the default domain and enables domain specific
    drivers.

    Change-Id: I781c0f266e7a6797e8e2ea0bfc7d28254335d5e3
    Closes-Bug: #1447768

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/178310
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=f79738cf1fc89c5018795a5b67f78433ba243cd5
Submitter: Jenkins
Branch: master

commit f79738cf1fc89c5018795a5b67f78433ba243cd5
Author: Kevin Carter <email address hidden>
Date: Tue Apr 28 12:53:45 2015 -0500

    Updated ldap config to support multi domain

    Enables default domain support using ldap. This change moves the
    ldap config to the default domain and enables domain specific
    drivers.

    Change-Id: I85f6610a25617fdea1fc216b53df0ab30260fed9
    Cloes-Bug: 1447768

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.