When installing with LDAP backend, install fails at task Ensure_user. This appears to fail before any of the LDAP specific configs are in place. The keystone log showed "Can't contact LDAP server". I was able to manually connect to the LDAP server using ldapsearch.
2015-06-17 20:48:02.005 5168 ERROR keystone.common.wsgi [-] {'desc': "Can't contact LDAP server"}
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 223, in __call__
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi result = method(context, **params)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/controllers.py", line 100, in authenticate
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi context, auth)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/token/controllers.py", line 287, in _authenticate_local
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 202, in wrapper
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 213, in wrapper
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 600, in get_user_by_name
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi ref = driver.get_user_by_name(user_name, domain_id)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 88, in get_user_by_name
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi return self.user.filter_attributes(self.user.get_by_name(user_name))
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1499, in get_by_name
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi res = self.get_all(query)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1781, in get_all
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).get_all(ldap_filter)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1507, in get_all
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi for x in self._ldap_get_all(ldap_filter)]
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1469, in _ldap_get_all
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi attrs)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 945, in search_s
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi attrlist_utf8, attrsonly)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 542, in search_s
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi attrlist, attrsonly)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 552, in search_s
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 545, in search_ext_s
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 541, in search_ext
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi timeout,sizelimit,
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi result = func(*args,**kwargs)
2015-06-17 20:48:02.005 5168 TRACE keystone.common.wsgi SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Looking in /etc/keystone/keystone.conf there was no [LDAP] config section and the folder /etc/keystone/domains had not been created. There was no way to connect to the LDAP server without the config in place. Even after manually adding in the LDAP config in /etc/keystone/domains/keystone.Default.conf the playbooks still fail at ensure user and the logs show unable to connect to LDAP server. This lab is still up and I can pass credentials to anyone who wants to poke around.
AFAIK, the configs are only generated if
keystone_ldap: True
is set. Was this the case ?