与Openstack的LDAP连接找不到用户:管理员 [英] Ldap connection with Openstack could not find user : admin
问题描述
我将Ldap与openstack混淆,但是当openstack向我的ldap服务器发送请求时,发生了一个错误,例如找不到用户:admin.日志如下. Ldap服务器应将其信息发送到我的openstack环境.以下警告重要吗?
I am confuring Ldap with openstack but when openstack send request to my ldap server, an error occured like could not find user: admin. Logs are below. Ldap server should send its information to my openstack environment. Is below warning important?
ldap_build_search_req ATTRS:cn userPassword已启用sn邮件 说明
ldap_build_search_req ATTRS: cn userPassword enabled sn mail description
我该如何处理这种情况?
How can I handle this situation?
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /var/lib/keystone
ldap_init: trying /var/lib/keystone/ldaprc
ldap_init: trying /var/lib/keystone/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_create
ldap_url_parse_ext(ldap://10.0.0.23)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.0.0.23:389
ldap_new_socket: 18
ldap_prepare_socket: 18
ldap_connect_to_host: Trying 10.0.0.23:389
ldap_pvt_connect: fd: 18 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f0e31c9b150 msgid 1
wait4msg ld 0x7f0e31c9b150 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f0e31c9b150 msgid 1 all 1
** ld 0x7f0e31c9b150 Connections:
* host: 10.0.0.23 port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jun 1 12:11:40 2017
** ld 0x7f0e31c9b150 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f0e31c9b150 request count 1 (abandoned 0)
** ld 0x7f0e31c9b150 Response Queue:
Empty
ld 0x7f0e31c9b150 response count 0
ldap_chkResponseList ld 0x7f0e31c9b150 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f0e31c9b150 NULL
ldap_int_select
read1msg: ld 0x7f0e31c9b150 msgid 1 all 1
read1msg: ld 0x7f0e31c9b150 msgid 1 message type bind
read1msg: ld 0x7f0e31c9b150 0 new referrals
read1msg: mark request completed, ld 0x7f0e31c9b150 msgid 1
request done: ld 0x7f0e31c9b150 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(sn=admin)(objectClass=organizationalUnit)(cn=*))"
put_filter: AND
put_filter_list "(sn=admin)(objectClass=organizationalUnit)(cn=*)"
put_filter: "(sn=admin)"
put_filter: simple
put_simple_filter: "sn=admin"
put_filter: "(objectClass=organizationalUnit)"
put_filter: simple
put_simple_filter: "objectClass=organizationalUnit"
put_filter: "(cn=*)"
put_filter: simple
put_simple_filter: "cn=*"
ldap_build_search_req ATTRS: cn userPassword enabled sn mail description
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7f0e31c9b150 msgid 2
wait4msg ld 0x7f0e31c9b150 msgid 2 (infinite timeout)
wait4msg continue ld 0x7f0e31c9b150 msgid 2 all 1
** ld 0x7f0e31c9b150 Connections:
* host: 10.0.0.23 port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jun 1 12:11:40 2017
** ld 0x7f0e31c9b150 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f0e31c9b150 request count 1 (abandoned 0)
** ld 0x7f0e31c9b150 Response Queue:
Empty
ld 0x7f0e31c9b150 response count 0
ldap_chkResponseList ld 0x7f0e31c9b150 msgid 2 all 1
ldap_chkResponseList returns ld 0x7f0e31c9b150 NULL
ldap_int_select
read1msg: ld 0x7f0e31c9b150 msgid 2 all 1
read1msg: ld 0x7f0e31c9b150 msgid 2 message type search-result
read1msg: ld 0x7f0e31c9b150 0 new referrals
read1msg: mark request completed, ld 0x7f0e31c9b150 msgid 2
request done: ld 0x7f0e31c9b150 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
2017-06-01 12:11:40.512893 2017-06-01 12:11:40.512 5767 WARNING keystone.auth.plugins.core [req-07b3f423-d9fd-419a-836c-2d59fb53ac9d - - - - -] Could not find user: admin
2017-06-01 12:11:40.513608 2017-06-01 12:11:40.513 5767 WARNING keystone.common.wsgi [req-07b3f423-d9fd-419a-836c-2d59fb53ac9d - - - - -] Authorization failed. Could not find user: admin (Disable insecure_debug mode to suppress these det$
我的keystone.ldap.conf如下
My keystone.ldap.conf like below
[identity]
driver = keystone.identity.backends.ldap.Identity
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[ldap]
url = ldap://10.0.0.23
suffix = dc=openstack,dc=org
user = cn=admin,dc=openstack,dc=org
password = toor
user_tree_dn = ou=Users,dc=openstack,dc=org
user_objectclass = organizationalUnit
group_tree_dn = ou=Groups,dc=openstack,dc=org
group_objectclass = organizationalUnit
use_dumb_member = True
dumb_member = keystone_ldap
page_size = 0
alias_dereferencing = always
query_scope = sub
Ldap结构
# openstack.org
dn: dc=openstack,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: openstack
dc: openstack
# admin, openstack.org
dn: cn=admin,dc=openstack,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# Groups, openstack.org
dn: ou=Groups,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
# Users, openstack.org
dn: ou=Users,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users
在keystone.conf中,我没有添加任何sn属性,但是ldap始终将sn = admin搜索为过滤器.
Inside keystone.conf I did not add any sn property but ldap always searching sn=admin as filter.
filter =(&(sn = admin)(objectClass = inetOrgPerson)(cn = *))"
filter="(&(sn=admin)(objectClass=inetOrgPerson)(cn=*))"
我还添加了ldap admin作为keystone.conf的用户字段. Ldap在user_tree中搜索此管理员用户,但不包括admin user_tree.如果有人知道梯形校正ldap的工作机制,那么问题就很容易解决.
Also I added ldap admin as user field of keystone.conf . Ldap searches this admin user inside user_tree but admin is not included user_tree. If someone knows working mechanism of keystone ldap, then problem could be easily solved.
推荐答案
根据下面的源代码梯形失真添加过滤器
According to the below source code keystone adds filter
filter =(&(sn = admin)(objectClass = inetOrgPerson)(cn = *))"
filter="(&(sn=admin)(objectClass=inetOrgPerson)(cn=*))"
(如果未指定user_name_attribute).制作
if you do not specify user_name_attribute. Make
user_name_attribute=cn
https://github.com/openstack/keystone /blob/master/keystone/conf/ldap.py
这篇关于与Openstack的LDAP连接找不到用户:管理员的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
