OpenStack Identity (keystone)

  1. Bug #1644862
  2. Activity log

Activity log for bug #1644862

Date Who What changed Old value New value Message
2016-11-25 15:14:53 MikeyB bug added bug
2016-11-25 15:17:11 MikeyB description I have a multidomain configuration with multiple AD backends in keystone. For one of the AD configurations I've configured a custom tls_cacertfile as follows: « [identity] driver = ldap [assignment] driver = ldap [ldap] url = ldap://dc1.domain1.ca ldap://dc1.domain1.ca use_tls = true … » For the other: « [identity] driver = ldap [assignment] driver = ldap [ldap] url = ldap://dc1.domain2.ca ldap://dc2.domain2.ca query_scope = sub use_tls = true tls_cacertfile = /etc/keystone/domains/domain2-caroot.pem … » What I've observed is when logging in to domain2 I will get very inconsistent behaviour: * sometimes fails: "Unable to retrieve authorized projects." * sometimes fails: "An error occurred authenticating. Please try again later." * sometimes fails: "Unable to authenticate to any available projects." * sometimes fails: "Invalid credentials." * sometimes succeeds Example traceback from keystone log: « 2016-11-25 09:54:06.699 27879 INFO keystone.common.wsgi [req-c145506b-69fc-4fc2-9bad-76d77a79e3ca - - - - -] POST http://os-controller.lab.netdirect.ca:5000/v3/auth/tokens 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi [req-c145506b-69fc-4fc2-9bad-76d77a79e3ca - - - - -] {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'} 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi Traceback (most recent call last): … 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 224, in _create_connector 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi raise BackendError(str(exc), backend=conn) 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi BackendError: {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'} » I've also tried putting a merged tls_cacertfile containing the system default ca roots and the domain2-specific ca root. That felt like it improved but did not fix the problem. The workaround is putting the merged cacertfile into BOTH domain configurations, which should not be necessary. After doing so I haven't had any trouble. Environment: Centos 7 using the OpenStack Mitaka release RPMS from: http://mirror.centos.org/centos/7/cloud/$basearch/openstack-mitaka/ openstack-keystone-9.2.0-1.el7.noarch ————— I have a multidomain configuration with multiple AD backends in keystone. For one of the AD configurations I've configured a custom tls_cacertfile as follows: « [identity] driver = ldap [assignment] driver = ldap [ldap] url = ldap://dc1.domain1.ca ldap://dc1.domain1.ca use_tls = true … » For the other: « [identity] driver = ldap [assignment] driver = ldap [ldap] url = ldap://dc1.domain2.ca ldap://dc2.domain2.ca query_scope = sub use_tls = true tls_cacertfile = /etc/keystone/domains/domain2-caroot.pem … » What I've observed is when logging in to domain2 I will get very inconsistent behaviour: * sometimes fails: "Unable to retrieve authorized projects." * sometimes fails: "An error occurred authenticating. Please try again later." * sometimes fails: "Unable to authenticate to any available projects." * sometimes fails: "Invalid credentials." * sometimes succeeds Example traceback from keystone log: « 2016-11-25 09:54:06.699 27879 INFO keystone.common.wsgi [req-c145506b-69fc-4fc2-9bad-76d77a79e3ca - - - - -] POST http://os-controller.lab.netdirect.ca:5000/v3/auth/tokens 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi [req-c145506b-69fc-4fc2-9bad-76d77a79e3ca - - - - -] {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'} 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi Traceback (most recent call last): … 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 224, in _create_connector 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi raise BackendError(str(exc), backend=conn) 2016-11-25 09:54:07.147 27879 ERROR keystone.common.wsgi BackendError: {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': 'Connect error'} » I've also tried putting a merged tls_cacertfile containing the system default ca roots and the domain2-specific ca root. That felt like it improved but did not fix the problem. The workaround is putting the merged cacertfile into BOTH domain configurations, which should not be necessary. After doing so I haven't had any trouble.
2016-11-29 15:33:30 Lance Bragstad nominated for series keystone/mitaka
2016-11-29 15:33:30 Lance Bragstad bug task added keystone/mitaka
2017-05-15 10:26:05 Jon Zhao bug added subscriber Jon Zhao
2017-07-20 21:27:50 Lance Bragstad keystone: status New Triaged
2017-07-20 21:27:52 Lance Bragstad keystone: importance Undecided Low
2017-08-09 22:08:44 Morgan Fainberg keystone/mitaka: status New Won't Fix
2017-08-09 22:09:22 Morgan Fainberg keystone/mitaka: status Won't Fix Fix Released
2017-08-09 22:09:56 Morgan Fainberg keystone/mitaka: status Fix Released Won't Fix