3 Replies Latest reply on Apr 14, 2020 6:35 AM by rpellet

    Deploy VIO6 with LDAP, Internal Server Error (HTTP 500)

    rysto Lurker

      Hi

      I’m deploying VIO6 with ldap but I can get User or Group in VIO from LDAP.

      Trying to go over Port 389 and 636 configurations. No Change

      In this POC the Windows Active Directory Server 2019 is configured with own Certificate Authority.

       

      root@vio-mgmt01 [ ~ ]# viocli update keystone

      conf:

        keystone:

          identity:

            domain_config_dir: /etc/keystonedomains

            domain_configurations_from_database: "False"

            domain_specific_drivers_enabled: "True"

        ks_domains:

          ost:

            identity:

              driver: ldap

            ldap:

              chase_referrals: false

              group_desc_attribute: description

              group_filter: null

              group_id_attribute: cn

              group_member_attribute: memberOf

              group_members_are_ids: false

              group_name_attribute: sAMAccountName

              group_objectclass: group

              group_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

              page_size: 100

              password: .VIOSecret:viosecret1:spec.ost

              query_scope: sub

              url: ldaps://ad-dc01.vio.xxx.local:636

              use_tls: false

              user: CN=violdapsc,OU=VIO,DC=vio,DC=xxx,DC=local

              user_enabled_attribute: userAccountControl

              user_enabled_mask: 2

              user_filter: null

              user_id_attribute: cn

              user_mail_attribute: mail

              user_name_attribute: userPrincipalName

              user_objectclass: organizationalPerson

              user_pass_attribute: userPassword

              user_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

      ldap_cert:

      - |-

      -----BEGIN CERTIFICATE-----

      **********************************************

      **********************************************

        -----END CERTIFICATE-----

      ldap_domains_admin:

        ost:

          admin_user: admin@vio.xxx.local

          ldap_loadbalancer: false

          servers:

          - name: ldaps://ad-dc01.vio.xxx.local:636

            port: 40001

          start_port: 40000

      ldap_list:

      - ad_domain_controllers: null

        ad_domain_names: vio.xxx.local

        ad_site: null

        admin_user: admin@vio.xxx.local

        chase_referrals: false

        dataChanged: false

        group_desc_attribute: description

        group_filter: null

        group_id_attribute: cn

        group_member_attribute: memberOf

        group_members_are_ids: false

        group_name_attribute: sAMAccountName

        group_objectclass: group

        group_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

        keystone_domain_name: ost

        ldap_loadbalancer: false

        page_size: 100

        passValidation: true

        password: .VIOSecret:viosecret1:spec.ost

        query_scope: sub

        url: ldaps://ad-dc01.vio.xxx.local:636

        use_tls: false

        user: CN=violdapsc,OU=VIO,DC=vio,DC=xxx,DC=local

        user_enabled_attribute: userAccountControl

        user_enabled_mask: 2

        user_filter: null

        user_id_attribute: cn

        user_mail_attribute: mail

        user_name_attribute: userPrincipalName

        user_objectclass: organizationalPerson

        user_pass_attribute: userPassword

        user_tree_dn: OU=VIO,DC=vio,DC=xxx,DC=local

      manifests: {}

       

      Trying to get user from the LDAP domain but I get error 500

      openstack user list --domain ost

      Internal Server Error (HTTP 500)

       

      I see also that

      keystone-domain-manage show me a status “CrashLoopBackOff”

       

      Locking on the log 

       

      + path=/etc/keystonedomains

      + endpt=https://keystone-api.openstack.svc.cluster.local:5000/v3

      + python /tmp/domain-manage-vio.py

      ...

      /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings  InsecureRequestWarning)

      + python /tmp/domain-manage-vio.py '{"admin_user":"admin@vio.xxx.local","ldap_loadbalancer":false,"servers":[{"name":"ldaps://ad-dc01.vio.xxx.local:636","port":40001}],"start_port":40000}' ost

      /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings  InsecureRequestWarning)

      ...

      Traceback (most recent call last):

        File "/tmp/domain-manage-vio.py", line 227, in <module> main(sys.argv)

        File "/tmp/domain-manage-vio.py", line 214, in main    if get_user(keystone, user):

        File "/tmp/domain-manage-vio.py", line 118, in get_user    user = kc.users.find(name=resource_config['name'], domain=domain)

        File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 86, in func    return f(*args, **new_kwargs)

        File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 494, in find    self.collection_key)

        File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 141, in _list    resp, body = self.client.get(url, **kwargs)

        File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 375, in get    return self.request(url, 'GET', **kwargs)

        File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 534, in request    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)

        File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 237, in request    return self.session.request(url, method, **kwargs)

        File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 890, in request    raise exceptions.from_response(resp, method, url)

      keystoneauth1.exceptions.http.InternalServerError: Internal Server Error (HTTP 500)

       

       

      Any idea what is wrong in this configuration ?

      Where more info about this error (in which log) can by found?

        • 1. Re: Deploy VIO6 with LDAP, Internal Server Error (HTTP 500)
          zhenmei Novice
          VMware Employees

          Please attach the VIO support bundle, or keystone log which include message when you run "openstack user list --domain ost"

          • 2. Re: Deploy VIO6 with LDAP, Internal Server Error (HTTP 500)
            rysto Lurker

            I would like just to provide an update.

            I reinstalled my poc again and played with the LDAP settings. On the end the config below was working for me.

             

            On the VIO I was able to login with the domain name  "ost" and with the AD users.

            What I have observed is - in the current poc  the LDAP connections is not stable enough.

            From time to time in the  GUI or in CLI I get no user displayed. I repeat in CLI the command  immediately and I see the user or groups.

            I'm investigating the error now.

             

            Active Directory domain name  vio.xxx.local

            Keystone domain name          ost

            Bind user                     CN=violdappsc,OU=T-Users,DC=vio,DC=xxx,DC=local

            Bind password                 *********

            Domain controllers            ad-dc01.vio.xxx.local

            Query scope                   SUB_TREE

            User Tree DN                  OU=VIO,DC=vio,DC=xxx,DC=local

            User Filter                   

            Group tree DN                 OU=VIO,DC=vio,DC=xxx,DC=local

            Group filter                   

            LDAP admin user               ldapadmin

            Encryption                    none

            Hostname                      ad-dc01.vio.xxx.local

            Port                          389

            User objectclass              organizationalPerson

            User ID attribute             cn

            User name attribute           sAMAccountName

            User mail attribute           mail

            User password attribute       userPassword

            User enabled bitmask          2

            Group objectclass             group

            Group ID attribute            cn

            Group name attribute          sAMAccountName

            Group member attribute        member

            Group description attribute   description

            • 3. Re: Deploy VIO6 with LDAP, Internal Server Error (HTTP 500)
              rpellet Enthusiast
              VMware Employees

              Please follow the product documentation to set up LDAP  Configure LDAP Authentication   Pay particular attention to step 5 and the notes for keystone domain.