Reviewed: https://review.openstack.org/379334 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ac04a51db218215988a54e248b1ac14bc557e1c6 Submitter: Jenkins Branch: master
commit ac04a51db218215988a54e248b1ac14bc557e1c6 Author: Annapoornima Koppad <[email protected]> Date: Thu Sep 29 15:27:34 2016 +0530 Updating the document regarding LDAP options Closes-bug: #1274581 Change-Id: I3e334b7290745f3e0cdaaf05b07e942929acff04 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1274581 Title: keystone ldap identity backend will not work without TLS_CACERT path specified in an ldap.conf file Status in OpenStack Identity (keystone): Fix Released Bug description: I'm on Ubuntu 12.04 using havana 2013.2.1. What I've found is that the LDAP identity backend for keystone will not talk to my LDAP server (using ldaps) unless I have an ldap.conf that contains a TLS_CACERT line. This line duplicates the setting of tls_cacertfile in my keystone conf and therefore I don't see why it should be required. The rest of my /etc/ldap/ldap.conf file is default/commented out. When I don't have this line set I get a SERVER_DOWN error. I am using LDAP from a FreeIPA server if that matters. Error message from the logs: 2014-01-30 16:24:17.168 21174 TRACE keystone.common.wsgi SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"} and from the CLI: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '(unknown error code)', 'desc': "Can't contact LDAP server"} (HTTP 500) Below are relevant sections of my configs: /etc/ldap/ldap.conf: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt --------------------- keystone.conf: [identity] driver = keystone.identity.backends.ldap.Identity ... [ldap] url = ldaps://ldap.example.com:636 user = uid=mfischer,cn=users,cn=accounts,dc=example,dc=com password = GoBroncos ... use_tls = False tls_cacertfile = /etc/ssl/certs/ca-certificates.crt # tls_cacertdir = tls_req_cert = demand --------------------- To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1274581/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
