default_domain_id breaks the ability to map keystone to ldap

Bug #1168726 reported by Sahdev Zala
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Critical
Dolph Mathews
Grizzly
Fix Released
Critical
Dolph Mathews

Bug Description

After installing grizzly successfully with devstack with LDAP backend, when user try to log in via Horizon dashboard authentication is denied with the following error in the screen-horizon.log:

[Fri Apr 12 14:40:31 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Fri Apr 12 14:40:31 2013] [error] DEBUG:openstack_auth.backend:Authorization Failed: [Errno 111] Connection refused
[Fri Apr 12 14:40:46 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Fri Apr 12 14:40:46 2013] [error] DEBUG:openstack_auth.backend:Authorization Failed: [Errno 111] Connection refused
[Fri Apr 12 14:49:45 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Fri Apr 12 14:49:45 2013] [error] DEBUG:openstack_auth.backend:Authorization Failed: Unable to communicate with identity service: {"error": {"message": "Could not find domain: default", "code": 404, "title": "Not Found"}}. (HTTP 404)

The failure is due to the fact that no 'default' domain was created in the LDAP tree something keystone was looking for. The long term solution may be not to expect 'default' domain in the LDAP tree in keystone or create one automatically (which could be a problem in read-only LDAP environment though), which seems like sql backend is doing.
The quick solution is to create 'default' domain specific entry in the LDAP tree when user select the option to install LDAP with KEYSTONE_IDENTITY_BACKEND=ldap option. As an workaround to users with existing LDAP, they may need to create 'default' domain specific entry manually for now.

I have opened a similar bug for devstack here - https://bugs.launchpad.net/devstack/+bug/1168724

Sahdev Zala (spzala)
summary: - Horizon log-in failure in grizzly with LDAP backend
+ default_domain_id breaks the ability to map keystone to ldap
Sahdev Zala (spzala)
Changed in keystone:
assignee: nobody → Sahdev Zala (spzala)
Dolph Mathews (dolph)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27364

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/28197

Changed in keystone:
assignee: Sahdev Zala (spzala) → Dolph Mathews (dolph)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/28423

Changed in keystone:
assignee: Dolph Mathews (dolph) → Sahdev Zala (spzala)
Changed in keystone:
assignee: Sahdev Zala (spzala) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Sahdev Zala (spzala)
Changed in keystone:
assignee: Sahdev Zala (spzala) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Sahdev Zala (spzala)
Changed in keystone:
assignee: Sahdev Zala (spzala) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Sahdev Zala (spzala)
Changed in keystone:
assignee: Sahdev Zala (spzala) → Adam Young (ayoung)
Changed in keystone:
assignee: Adam Young (ayoung) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Adam Young (ayoung)
Changed in keystone:
assignee: Adam Young (ayoung) → Dolph Mathews (dolph)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/28197
Committed: http://github.com/openstack/keystone/commit/5d26d091e128c474739848cd987ccacb326c5cc8
Submitter: Jenkins
Branch: master

commit 5d26d091e128c474739848cd987ccacb326c5cc8
Author: Dolph Mathews <email address hidden>
Date: Fri May 3 15:55:59 2013 -0500

    Read-only default domain for LDAP (bug 1168726)

    A proper fix to the above was also blocked by bug 1117356, so that's
    fixed here as well (updates properly return the resulting entities).

    Change-Id: I672b90e67545cc1fe65b05ef7f8af5b42ca6afc3

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Revision history for this message
Jose Castro Leon (jose-castro-leon) wrote :

Could we try to make it available for grizzly as well?

Revision history for this message
Dolph Mathews (dolph) wrote :

Jose: absolutely- I just refreshed the backport. I want to make sure this lands in 2013.1.2

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/28423
Committed: http://github.com/openstack/keystone/commit/39c4ca1e2f890e9264643daa415576fe3088ffe2
Submitter: Jenkins
Branch: stable/grizzly

commit 39c4ca1e2f890e9264643daa415576fe3088ffe2
Author: Dolph Mathews <email address hidden>
Date: Fri May 3 15:55:59 2013 -0500

    Read-only default domain for LDAP (bug 1168726)

    NOTE: this patch effectively *removes* a feature new in grizzly
    (multi-domain support for LDAP) in favor of fixing our existing 99% use
    case (proper read-only support for LDAP for a single domain).

    A proper fix to the above was also blocked by bug 1117356, so that's
    fixed here as well (updates properly return the resulting entities).

    Change-Id: I672b90e67545cc1fe65b05ef7f8af5b42ca6afc3

tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.