Dear All, I have 3 node openstack (controller + compute+ storage node) deployment. I have integrated keystone with OpenLDAP.
I have configure keystone to do authentication through LDAP and assignment from SQL. Here is configuration entry in keystone.conf [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment Here is LDAP Schema: # cat tcl.ldif dn: dc=TCL dc: TCL objectclass: top objectclass: domain dn: ou=TCL,dc=TCL objectClass: organizationalUnit objectClass: top ou: TCL I have manually created openstack service user and admin user so that the LDAP driver can place necessary details in LDAP database. I am able to login to openstack as admin user and all functionality are working fine post LDAP integration. Here is my LDAP schema with admin and service user. # ldapsearch -x -h <localhost> -W -D"dc=Manager,dc=TCL" -b dc=TCL }} Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=TCL> with scope subtree # filter: (objectclass=*) # requesting: }} # # TCL dn: dc=TCL # TCL, TCL dn: ou=TCL,dc=TCL # a8f8ed812aba458ba42d0fbfc0145bd4, TCL, TCL dn: cn=a8f8ed812aba458ba42d0fbfc0145bd4,ou=TCL,dc=TCL # c8d9eef1a2044f08b6ae5eb509ff3c83, TCL, TCL dn: cn=c8d9eef1a2044f08b6ae5eb509ff3c83,ou=TCL,dc=TCL # 8c4a189b78204b2c87a9e70997afa4fe, TCL, TCL dn: cn=8c4a189b78204b2c87a9e70997afa4fe,ou=TCL,dc=TCL # 5c90951603a444db826eb48672843183, TCL, TCL dn: cn=5c90951603a444db826eb48672843183,ou=TCL,dc=TCL # 1c60c85acf3942cebbdec91fea1d9b75, TCL, TCL dn: cn=1c60c85acf3942cebbdec91fea1d9b75,ou=TCL,dc=TCL # bbc4d9fa57724d31ba016f572951a474, TCL, TCL dn: cn=bbc4d9fa57724d31ba016f572951a474,ou=TCL,dc=TCL # 78839ea49f82468b831efb6c08167360, TCL, TCL dn: cn=78839ea49f82468b831efb6c08167360,ou=TCL,dc=TCL # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 Now I am trying to enable Keystone V3.0 API. I am following this url : http://www.florentflament.com/blog/setting-keystone-v3-domains.html ADMIN_TOKEN=$(\ curl http://192.169.0.2:5000/v3/auth/tokens \ -s \ -i \ -H "Content-Type: application/json" \ -d ' { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "domain": { "name": "Default" }, "name": "admin", "password": "I0DzaQ3LkSUpS1eW89" } } }, "scope": { "project": { "domain": { "name": "Default" }, "name": "admin" } } } }' | grep ^X-Subject-Token: | awk '{print $2}' ) # echo $ADMIN_TOKEN be1a1c02623740aeb72fa8c2dfdb8bbb ID_ADMIN_DOMAIN=$(\ curl http://192.169.0.2:5000/v3/domains \ -s \ -H "X-Auth-Token: $ADMIN_TOKEN" \ -H "Content-Type: application/json" \ -d ' { "domain": { "enabled": true, "name": "admin_domain" } }' | jq .domain.id | tr -d '"' ) # echo $ID_ADMIN_DOMAIN null I am getting the below error message: {"error": {"message": "Conflict occurred attempting to store domain. (IntegrityError) (1062, \"Duplicate entry 'admin_domain' for key 'name'\") 'INSERT INTO domain (id, name, enabled, extra) VALUES (%s, %s, %s, %s)' ('ea3e791ffa524ca29e43099682ceee8f', 'admin_domain', 1, '{}')", "code": 409, "title": "Conflict"}} It says that admin_domain is already exist. It seems by default it comes with admin_domain and default domain. Here is my domain list. # curl -X GET -H "X-Auth-token:$ADMIN_TOKEN" http://192.169.0.2:5000/v3/domains | jq '.domains' [ { "name": "admin_domain", "links": { "self": " http://192.169.0.2:5000/v3/domains/1fdf6cd4da99480797d3e2a08d6a8591"; }, "id": "1fdf6cd4da99480797d3e2a08d6a8591", "enabled": true }, { "id": "default", "name": "Default", "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "enabled": true, "links": { "self": "http://192.169.0.2:5000/v3/domains/default"; } } ] I have manually added ID_CLOUD_ADMIN variable. # ID_CLOUD_ADMIN=1fdf6cd4da99480797d3e2a08d6a8591 # echo $ID_CLOUD_ADMIN 1fdf6cd4da99480797d3e2a08d6a8591 The problem is when I try to create cloud_admin user it fails with Could not find domain. ID_CLOUD_ADMIN=$(\ curl http://192.169.0.2:5000/v3/users \ -s \ -H "X-Auth-Token: $ADMIN_TOKEN" \ -H "Content-Type: application/json" \ -d " { \"user\": { \"description\": \"Cloud administrator\", \"domain_id\": \"$ID_ADMIN_DOMAIN\", \"enabled\": true, \"name\": \"cloud_admin\", \"password\": \"password\" } }" | jq .user.id | tr -d '"' ) # echo $ID_CLOUD_ADMIN null {"error": {"message": "Could not find domain, null.", "code": 404, "title": "Not Found"}} Any body faced similar issue? Do I need to delete existing admin_domain and create it again? I need some one help to understand it better. Thanks for your time.
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
