Hi
I’m deploying VIO6 with ldap but I can get User or Group in VIO from LDAP.
Trying to go over Port 389 and 636 configurations. No Change
In this POC the Windows Active Directory Server 2019 is configured with own Certificate Authority.
root@vio-mgmt01 [ ~ ]# viocli update keystone
conf:
keystone:
identity:
domain_config_dir: /etc/keystonedomains
domain_configurations_from_database: "False"
domain_specific_drivers_enabled: "True"
ks_domains:
ost:
identity:
driver: ldap
ldap:
chase_referrals: false
group_desc_attribute: description
group_filter: null
group_id_attribute: cn
group_member_attribute: memberOf
group_members_are_ids: false
group_name_attribute: sAMAccountName
group_objectclass: group
group_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local
page_size: 100
password: .VIOSecret:viosecret1:spec.ost
query_scope: sub
url: ldaps://ad-dc01.vio.xxx.local:636
use_tls: false
user: CN=violdapsc,OU=VIO,DC=vio,DC=xxx,DC=local
user_enabled_attribute: userAccountControl
user_enabled_mask: 2
user_filter: null
user_id_attribute: cn
user_mail_attribute: mail
user_name_attribute: userPrincipalName
user_objectclass: organizationalPerson
user_pass_attribute: userPassword
user_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local
ldap_cert:
- |-
-----BEGIN CERTIFICATE-----
**********************************************
**********************************************
-----END CERTIFICATE-----
ldap_domains_admin:
ost:
admin_user: admin@vio.xxx.local
ldap_loadbalancer: false
servers:
- name: ldaps://ad-dc01.vio.xxx.local:636
port: 40001
start_port: 40000
ldap_list:
- ad_domain_controllers: null
ad_domain_names: vio.xxx.local
ad_site: null
admin_user: admin@vio.xxx.local
chase_referrals: false
dataChanged: false
group_desc_attribute: description
group_filter: null
group_id_attribute: cn
group_member_attribute: memberOf
group_members_are_ids: false
group_name_attribute: sAMAccountName
group_objectclass: group
group_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local
keystone_domain_name: ost
ldap_loadbalancer: false
page_size: 100
passValidation: true
password: .VIOSecret:viosecret1:spec.ost
query_scope: sub
url: ldaps://ad-dc01.vio.xxx.local:636
use_tls: false
user: CN=violdapsc,OU=VIO,DC=vio,DC=xxx,DC=local
user_enabled_attribute: userAccountControl
user_enabled_mask: 2
user_filter: null
user_id_attribute: cn
user_mail_attribute: mail
user_name_attribute: userPrincipalName
user_objectclass: organizationalPerson
user_pass_attribute: userPassword
user_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local
manifests: {}
Trying to get user from the LDAP domain but I get error 500
openstack user list --domain ost
Internal Server Error (HTTP 500)
I see also that
keystone-domain-manage show me a status “CrashLoopBackOff”
Locking on the log
+ path=/etc/keystonedomains
+ endpt=https://keystone-api.openstack.svc.cluster.local:5000/v3
+ python /tmp/domain-manage-vio.py
...
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
+ python /tmp/domain-manage-vio.py '{"admin_user":"admin@vio.xxx.local","ldap_loadbalancer":false,"servers":[{"name":"ldaps://ad-dc01.vio.xxx.local:636","port":40001}],"start_port":40000}' ost
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
...
Traceback (most recent call last):
File "/tmp/domain-manage-vio.py", line 227, in <module> main(sys.argv)
File "/tmp/domain-manage-vio.py", line 214, in main if get_user(keystone, user):
File "/tmp/domain-manage-vio.py", line 118, in get_user user = kc.users.find(name=resource_config['name'], domain=domain)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 86, in func return f(*args, **new_kwargs)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 494, in find self.collection_key)
File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 141, in _list resp, body = self.client.get(url, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 375, in get return self.request(url, 'GET', **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 534, in request resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 237, in request return self.session.request(url, method, **kwargs)
File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 890, in request raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.InternalServerError: Internal Server Error (HTTP 500)
Any idea what is wrong in this configuration ?
Where more info about this error (in which log) can by found?
Please attach the VIO support bundle, or keystone log which include message when you run "openstack user list --domain ost"
I would like just to provide an update.
I reinstalled my poc again and played with the LDAP settings. On the end the config below was working for me.
On the VIO I was able to login with the domain name "ost" and with the AD users.
What I have observed is - in the current poc the LDAP connections is not stable enough.
From time to time in the GUI or in CLI I get no user displayed. I repeat in CLI the command immediately and I see the user or groups.
I'm investigating the error now.
Active Directory domain name vio.xxx.local
Keystone domain name ost
Bind user CN=violdappsc,OU=T-Users,DC=vio,DC=xxx,DC=local
Bind password *********
Domain controllers ad-dc01.vio.xxx.local
Query scope SUB_TREE
User Tree DN OU=VIO,DC=vio,DC=xxx,DC=local
User Filter
Group tree DN OU=VIO,DC=vio,DC=xxx,DC=local
Group filter
LDAP admin user ldapadmin
Encryption none
Hostname ad-dc01.vio.xxx.local
Port 389
User objectclass organizationalPerson
User ID attribute cn
User name attribute sAMAccountName
User mail attribute mail
User password attribute userPassword
User enabled bitmask 2
Group objectclass group
Group ID attribute cn
Group name attribute sAMAccountName
Group member attribute member
Group description attribute description
Please follow the product documentation to set up LDAP Configure LDAP Authentication Pay particular attention to step 5 and the notes for keystone domain.