settingsLogin | Registersettings

[Openstack] Keystone LDAP auth KeyError: 'options'

0 votes

We have configured Keystone for LDAP authentication via the domainspecificdrivers_enabled setting and a file keystone..conf, and by tcpdump and LDAP server logs it appears to be working to some degree. That is, if the wrong credentials are entered, the response says so. However with the correct credentials, we get:

"An error occurred authenticating. Please try again later."

I'm not sure which of the numerous log entries to post (especially with various debug options enabled), but this seems relevant:

2017-04-20T06:00:09.845090+00:00 node-60 keystone-public: 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi [req-12ca87a2-d790-4397-b703-7ff6ef11fcd1 - - - - -] 'options'
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in call
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi result = method(req, **params)
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 132, in authenticatefortoken
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi authcontext['userid'], methodnamesset):
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/core.py", line 377, in checkauthmethodsagainstrules
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi mfarules = userref['options'].get(ro.MFARULESOPT.option_name, [])
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi KeyError: 'options'

I haven't had much luck tracing through those Python files - I can't even see how they relate to each other which suggests they are using function calls from includes and I haven't traced that deeply.

Can anyone help shed light on this?

Thanks,
Greg.


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
asked Apr 20, 2017 in openstack by Gregory_Orange (460 points)   1 1

3 Responses

0 votes

I should have said: This is on OpenStack Ocata, deployed with Fuel.

On 20/4/17 2:41 pm, Gregory Orange wrote:
We have configured Keystone for LDAP authentication via the domainspecificdrivers_enabled setting and a file keystone..conf, and by tcpdump and LDAP server logs it appears to be working to some degree. That is, if the wrong credentials are entered, the response says so. However with the correct credentials, we get:

"An error occurred authenticating. Please try again later."

I'm not sure which of the numerous log entries to post (especially with various debug options enabled), but this seems relevant:

2017-04-20T06:00:09.845090+00:00 node-60 keystone-public: 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi [req-12ca87a2-d790-4397-b703-7ff6ef11fcd1 - - - - -] 'options'
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in call
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi result = method(req, **params)
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 132, in authenticatefortoken
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi authcontext['userid'], methodnamesset):
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/core.py", line 377, in checkauthmethodsagainstrules
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi mfarules = userref['options'].get(ro.MFARULESOPT.option_name, [])
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi KeyError: 'options'

I haven't had much luck tracing through those Python files - I can't even see how they relate to each other which suggests they are using function calls from includes and I haven't traced that deeply.

Can anyone help shed light on this?


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Apr 20, 2017 by Gregory_Orange (460 points)   1 1
0 votes

https://bugs.launchpad.net/keystone/+bug/1662762

I ran into this with an install of Ocata on ubuntu from packages (not using fuel). It sounds like you might be hitting this same issue. I was able to resolve it by grabbing core.py from the Ocata version of the fix for this bug and dropping it in place.

Hope that helps.

Kind regards,

-Chris

On Apr 20, 2017, at 7:47 AM, Gregory Orange gregory.orange@pawsey.org.au wrote:

I should have said: This is on OpenStack Ocata, deployed with Fuel.

On 20/4/17 2:41 pm, Gregory Orange wrote:
We have configured Keystone for LDAP authentication via the domainspecificdrivers_enabled setting and a file keystone..conf, and by tcpdump and LDAP server logs it appears to be working to some degree. That is, if the wrong credentials are entered, the response says so. However with the correct credentials, we get:

"An error occurred authenticating. Please try again later."

I'm not sure which of the numerous log entries to post (especially with various debug options enabled), but this seems relevant:

2017-04-20T06:00:09.845090+00:00 node-60 keystone-public: 2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi [req-12ca87a2-d790-4397-b703-7ff6ef11fcd1 - - - - -] 'options'
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in call
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi result = method(req, **params)
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 132, in authenticatefortoken
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi authcontext['userid'], methodnamesset):
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/auth/core.py", line 377, in checkauthmethodsagainstrules
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi mfarules = userref['options'].get(ro.MFARULESOPT.option_name, [])
2017-04-20 06:00:09.822 17411 ERROR keystone.common.wsgi KeyError: 'options'

I haven't had much luck tracing through those Python files - I can't even see how they relate to each other which suggests they are using function calls from includes and I haven't traced that deeply.

Can anyone help shed light on this?


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Apr 20, 2017 by Chris_Suttles (500 points)  
0 votes

On 20/4/17 3:16 pm, Chris Suttles wrote:
https://bugs.launchpad.net/keystone/+bug/1662762

I ran into this with an install of Ocata on ubuntu from packages (not using fuel). It sounds like you might be hitting this same issue. I was able to resolve it by grabbing core.py from the Ocata version of the fix for this bug and dropping it in place.

Excellent, thank you Chris. The IRC log looks exactly the sort of thing that's happening here, although the core.py in the patch set looks quite different to ours. Plus, the locations don't quite match up:

Our file: /usr/lib/python2.7/dist-packages/keystone/auth/core.py
From the bug: /usr/lib/python2.7/site-packages/keystone/auth/core.py
review.openstack.org: keystone/identity/backends/ldap/core.py (??)

I'll take a closer look next week to see if I can extract the useful bits out of it.

Cheers,
Greg.

responded Apr 20, 2017 by Gregory_Orange (460 points)   1 1
...