Ever since upgrading to VIO5 we have started having issues with authenticating users in keystone that is backed by AD. When a user tries to authenticate they will get either a "An error occurred authenticating. Please try again later." or "Unable to retrieve authorized projects." However, when they try again immediately, they will authenticate as normal. In the keystone logs are
"LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection."
On the AD side there are no errors for failed logins. Anyone have experience with this type of error?
Just to close the loop, in case the someone else has this issue. The fixed ended up being to set
chase_referrals = False
in /etc/keystone/keystone.conf on both Openstack controllers. Either that or ensure that LDAP chaining is enabled on the Active Directory side.