Submitter: Jenkins
Branch:    master

commit ac04a51db218215988a54e248b1ac14bc557e1c6
Author: Annapoornima Koppad <>
Date:   Thu Sep 29 15:27:34 2016 +0530

    Updating the document regarding LDAP options
    Closes-bug: #1274581
    Change-Id: I3e334b7290745f3e0cdaaf05b07e942929acff04

** Changed in: keystone
       Status: In Progress => Fix Released

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).

  keystone ldap identity backend will not work without TLS_CACERT path
  specified in an ldap.conf file

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  I'm on Ubuntu 12.04 using havana 2013.2.1. What I've found is that the
  LDAP identity backend for keystone will not talk to my LDAP server
  (using ldaps) unless I have an ldap.conf that contains a TLS_CACERT
  line. This line duplicates the setting of tls_cacertfile in my
  keystone conf and therefore I don't see why it should be required. The
  rest of my /etc/ldap/ldap.conf file is default/commented out. When I
  don't have this line set I get a SERVER_DOWN error. I am using LDAP
  from a FreeIPA server if that matters.

  Error message from the logs:
  2014-01-30 16:24:17.168 21174 TRACE keystone.common.wsgi SERVER_DOWN: 
{'info': '(unknown error code)', 'desc': "Can't contact LDAP server"}

  and from the CLI:
  Authorization Failed: An unexpected error prevented the server from 
fulfilling your request. {'info': '(unknown error code)', 'desc': "Can't 
contact LDAP server"} (HTTP 500)

  Below are relevant sections of my configs:

  # LDAP Defaults

  # See ldap.conf(5) for details
  # This file should be world readable but not world writable.

  #BASE   dc=example,dc=com
  #URI    ldap:// ldap://

  #SIZELIMIT      12
  #TIMELIMIT      15
  #DEREF          never

  # TLS certificates (needed for GnuTLS)
  TLS_CACERT      /etc/ssl/certs/ca-certificates.crt



  driver = keystone.identity.backends.ldap.Identity
  url = ldaps://
  user = uid=mfischer,cn=users,cn=accounts,dc=example,dc=com
  password = GoBroncos

  use_tls = False
  tls_cacertfile = /etc/ssl/certs/ca-certificates.crt
  # tls_cacertdir =
  tls_req_cert = demand


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to