How to configure keystone with Active Directory when using root DN (dc=example,dc=com) as the user_tree_dn?¶

Environment¶

Red Hat OpenStack Enterprise Linux Platform 7.0

Red Hat OpenStack Platform 8.0

Red Hat OpenStack Platform 9.0

Issue¶

When using the LDAP backend and connecting to an Active Directory with multiple Domain Controllers , trying to use the root DN ( dc=example,dc=com ) as the user_tree_dn (or tenant/role_tree_dn) fails with:

"Authorization Failed: Unable to communicate with identity service: {"error":
{"message": "An unexpected error prevented the server from fulfilling your
request. {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to
perform this operation a successful bind must be completed on the connection.,
data 0, v1db1', 'desc': 'Operations error'}", "code": 500, "title": "Internal
Server Error"}}. (HTTP 500)".

Resolution¶

This is because python-ldap chases all referrals with anonymous access, which is disabled by default in AD for security reasons.

You can turn off chasing referrals in /etc/openldap/ldap.conf by adding:

REFERRALS off

You can also fix this in the [ldap] section of /etc/keystone/keystone.conf or of /etc/keystone/domains/keystone.<your_domain>.conf:

# Override the system's default referral chasing behavior for
# queries. (boolean value)
chase_referrals=false

Root Cause¶

Explanation of LDAP referrals:

When connecting to a windows Active Directory server and having many DC in AD domain Keystone seems to make a DNS request on domain.org and DomainDnsZones.domain.org then choose a random DC and bind to it:

:https://bugs.launchpad.net/keystone/+bug/1234319 :https://bugs.launchpad.net/keystone/+bug/1233365

Diagnostic Steps¶

• Use Wireshark to capture traffic and analyze bind requests.
• Verify /var/log/keystone/keystone.log.