settingsLogin | Registersettings

[Openstack] [Keystone] LDAP identity backend configuration issue

0 votes

Hello,

I am using keystone 0.9.0 , RDO Openstack Icehouse on Centos 6.5 with

python-keystoneclient-0.9.0-1.el6.noarch
openstack-keystone-2014.1.2.1-1.el6.noarch
python-keystone-2014.1.2.1-1.el6.noarch

In short - I am trying to use external authentication with keystone
identity - where LDAP is used as a backend database for users and groups,
while kerberos is used for authentication with HTTPD remote_user.
Roles/Tenants are used from mysql backend.

In /etc/keystone/keystone.conf

Search base for users. (string value)

usertreedn=ou=People,dc=example,dc=com

LDAP search filter for users. (string value)

user_filter=(&(objectClass=PosixAccount))

LDAP objectClass for users. (string value)

user_objectclass = posixAccount

LDAP attribute mapped to user id. (string value)

useridattribute = displayName

LDAP attribute mapped to user name. (string value)

usernameattribute = displayName

LDAP attribute mapped to user email. (string value)

usermailattribute = mail

I see that, no matter what i change in useridattribute, the
keystone/auth/plugins/external.py always uses "uid" as its search term.

This creates an issue, for remoteuser since the remoteuser under my
environment includes the domain (for example: "lohit.valleru@example.com")

And whenever i try to authenticate using my kerberos ticket - with external
authentication as:

external=keystone.auth.plugins.external.DefaultDomain

I see the following in the log:

DEBUG keystone.common.ldap.core [-] LDAP search:
dn=ou=People,dc=example,dc=come, scope=1, query=(&(uid=
lohit.valleru@example.com)(objectClass=posixAccount)), attrs=['mail',
'userPassword', 'enabled', 'uid'] searchs
/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:807
2014-10-18 02:34:36.459 5592 DEBUG keystone.common.ldap.core [-] LDAP
unbind unbind
s
/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:777
2014-10-18 02:34:36.460 5592 WARNING keystone.common.wsgi [-] Authorization
failed. Unable to lookup user lohit.valleru@example.com from 172.31.41.104

As you can see above, i do not want it to search with "uid" , but instead
with "displayName"

In our ldap structure, uid just contains the username and does not contain
the domain.

As a workaround -
I have tried to use other deprecated classes such as
"external=keystone.auth.plugins.external.LegacyDomain", but i see no
difference.

Also when i do - Keystone user-list

I clearly see that the uid attribute does not take up my changes in the
configuration file - keystone.conf

In addition to above issues, i observed that - whenever i do : keystone
user-role-add - It does take up my value in configuration - but it will not
work, since it always gets uid instead of displayName, and displayName
lookup will not result in a successful return.

May i please request some help regarding above.

I wish to modify the code, or write my wrapper around it, but it would be
helpful if i could see any documentation regarding compilation/deployment
of keystone code.

Please do let me know, if i need to provide any more information.

Thank you,

Lohit


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
asked Oct 18, 2014 in openstack by Lohit_Valleru (300 points)   1 1 4
retagged Mar 2, 2015 by admin
...