Hi

I’m deploying VIO6 with ldap but I can get User or Group in VIO from LDAP.

Trying to go over Port 389 and 636 configurations. No Change

In this POC the Windows Active Directory Server 2019 is configured with own Certificate Authority.

root@vio-mgmt01 [ ~ ]# viocli update keystone

conf:

  keystone:

    identity:

      domain_config_dir: /etc/keystonedomains

      domain_configurations_from_database: "False"

      domain_specific_drivers_enabled: "True"

  ks_domains:

    ost:

      identity:

        driver: ldap

      ldap:

        chase_referrals: false

        group_desc_attribute: description

        group_filter: null

        group_id_attribute: cn

        group_member_attribute: memberOf

        group_members_are_ids: false

        group_name_attribute: sAMAccountName

        group_objectclass: group

        group_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

        page_size: 100

        password: .VIOSecret:viosecret1:spec.ost

        query_scope: sub

        url: ldaps://ad-dc01.vio.xxx.local:636

        use_tls: false

        user: CN=violdapsc,OU=VIO,DC=vio,DC=xxx,DC=local

        user_enabled_attribute: userAccountControl

        user_enabled_mask: 2

        user_filter: null

        user_id_attribute: cn

        user_mail_attribute: mail

        user_name_attribute: userPrincipalName

        user_objectclass: organizationalPerson

        user_pass_attribute: userPassword

        user_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

ldap_cert:

- |-

-----BEGIN CERTIFICATE-----

**********************************************

**********************************************

  -----END CERTIFICATE-----

ldap_domains_admin:

  ost:

    admin_user: admin@vio.xxx.local

    ldap_loadbalancer: false

    servers:

    - name: ldaps://ad-dc01.vio.xxx.local:636

      port: 40001

    start_port: 40000

ldap_list:

- ad_domain_controllers: null

  ad_domain_names: vio.xxx.local

  ad_site: null

  admin_user: admin@vio.xxx.local

  chase_referrals: false

  dataChanged: false

  group_desc_attribute: description

  group_filter: null

  group_id_attribute: cn

  group_member_attribute: memberOf

  group_members_are_ids: false

  group_name_attribute: sAMAccountName

  group_objectclass: group

  group_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

  keystone_domain_name: ost

  ldap_loadbalancer: false

  page_size: 100

  passValidation: true

  password: .VIOSecret:viosecret1:spec.ost

  query_scope: sub

  url: ldaps://ad-dc01.vio.xxx.local:636

  use_tls: false

  user: CN=violdapsc,OU=VIO,DC=vio,DC=xxx,DC=local

  user_enabled_attribute: userAccountControl

  user_enabled_mask: 2

  user_filter: null

  user_id_attribute: cn

  user_mail_attribute: mail

  user_name_attribute: userPrincipalName

  user_objectclass: organizationalPerson

  user_pass_attribute: userPassword

  user_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

manifests: {}

Trying to get user from the LDAP domain but I get error 500

openstack user list --domain ost

Internal Server Error (HTTP 500)

I see also that

keystone-domain-manage show me a status “CrashLoopBackOff”

Locking on the log 

+ path=/etc/keystonedomains

+ endpt=https://keystone-api.openstack.svc.cluster.local:5000/v3

+ python /tmp/domain-manage-vio.py

...

/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings  InsecureRequestWarning)

+ python /tmp/domain-manage-vio.py '{"admin_user":"admin@vio.xxx.local","ldap_loadbalancer":false,"servers":[{"name":"ldaps://ad-dc01.vio.xxx.local:636","port":40001}],"start_port":40000}' ost

/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings  InsecureRequestWarning)

...

Traceback (most recent call last):

  File "/tmp/domain-manage-vio.py", line 227, in <module> main(sys.argv)

  File "/tmp/domain-manage-vio.py", line 214, in main    if get_user(keystone, user):

  File "/tmp/domain-manage-vio.py", line 118, in get_user    user = kc.users.find(name=resource_config['name'], domain=domain)

  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 86, in func    return f(*args, **new_kwargs)

  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 494, in find    self.collection_key)

  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 141, in _list    resp, body = self.client.get(url, **kwargs)

  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 375, in get    return self.request(url, 'GET', **kwargs)

  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 534, in request    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)

  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 237, in request    return self.session.request(url, method, **kwargs)

  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 890, in request    raise exceptions.from_response(resp, method, url)

keystoneauth1.exceptions.http.InternalServerError: Internal Server Error (HTTP 500)

Any idea what is wrong in this configuration ?

Where more info about this error (in which log) can by found?