Why do I get OPERATIONS_ERROR: {'desc': 'Operations error'} trying to authenticate keystone to Active Directory ?
Environment
- Red Hat Openstack Platform
- Active Directory
- Keystone
Issue
It is not possible to authenticate to openstack while keystone is using Active Directory backend. Additionally the following keystone.log gives the following traces:
2016-03-21 12:38:48.069 23950 DEBUG keystone.common.ldap.core [-] LDAP init: use_tls=True tls_cacertfile=/etc/ssl/certs/aibcacert.pem tls_cacertdir=/etc/ssl/certs/ tls_req_cert=3 tls_avail=1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:580
2016-03-21 12:38:48.070 23950 DEBUG keystone.common.ldap.core [-] LDAP bind: who=srv_openstack@ad.aib.pri simple_bind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:896
2016-03-21 12:38:48.070 23950 DEBUG keystone.common.ldap.core [-] LDAP search: base=DC=ad,DC=aib,DC=pri scope=2 filterstr=(&(cn=ceilometer)(objectClass=person)) attrs=['', 'userAccountControl', 'cn', 'mail'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:931
2016-03-21 12:38:48.340 23950 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:904
2016-03-21 12:38:48.340 23950 ERROR keystone.common.wsgi [-] {'desc': 'Operations error'}
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 238, in __call__
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi result = method(context, **params)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 101, in authenticate
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi context, auth)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 293, in _authenticate_local
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 342, in wrapper
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 353, in wrapper
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1040, in decorate
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi should_cache_fn)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 651, in get_or_create
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi async_creator) as value:
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/core/dogpile.py", line 158, in __enter__
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return self._enter()
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/core/dogpile.py", line 98, in _enter
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi generated = self._enter_create(createdtime)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/core/dogpile.py", line 149, in _enter_create
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi created = self.creator()
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 619, in gen_value
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi created_value = creator()
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1036, in creator
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return fn(*arg, **kw)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 773, in get_user_by_name
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi ref = driver.get_user_by_name(user_name, domain_id)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap.py", line 87, in get_user_by_name
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return self.user.filter_attributes(self.user.get_by_name(user_name))
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1497, in get_by_name
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi res = self.get_all(query)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1891, in get_all
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).get_all(ldap_filter)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1505, in get_all
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi for x in self._ldap_get_all(ldap_filter)]
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1467, in _ldap_get_all
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi attrs)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 934, in search_s
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi filterstr, attrlist)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 1001, in _paged_search_s
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi rtype, rdata, rmsgid, serverctrls = self.conn.result3(msgid)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/ldap/core.py", line 818, in result3
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi return conn.result3(msg_id, all, timeout)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi resp_ctrl_classes=resp_ctrl_classes
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi result = func(*args,**kwargs)
2016-03-21 12:38:48.340 23950 TRACE keystone.common.wsgi OPERATIONS_ERROR: {'desc': 'Operations error'}
Resolution
Please add the following line to the ldap section on /etc/keystone/keystone.con
[ldap]
...
chase_referrals = False
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.