Standing up the environment with the integrated Database is easy enough however if you want to add Active Directory into the mix it gets more fun.
During this I encountered the following issues:
- No way to change without blowing away the deployment and re-deploying.
- Error messages were often misleading.
- AD Structure very Important
- Forward Slashes in AD “cn” are BAD!!
- Users without a UPN cause issues.
Ok, those are the issues so what are the solutions?
Two most important servers are controller-0 & controller-1. Get Shell access to them both you can do this via the management server as the user “viouser”.
You then “sudo su -” then you can ssh passwordlessly to all the other Openstack Servers.
No way to change without blowing away the deployment and re-deploying.
Sorry I couldn’t see a way to easily do this HOWEVER it should be possible to do by editing /etc/keystone.conf.
Error messages were often misleading
No fix for this however it is work noting that if you get errors in the web interface and the commands are running fine via CLI then check the /var/log/apache2/error.log
AD Structure very Important
If you structure is:
you will have issues as keystone expects that the Service account you are using to bind to AD and the primary “Admin” account you will use to configure will be in the same basedn as all the users.
The following structure will work:
The deployment also will limit you to 1000 results, this can be worked around.
Basically either apply a really strict filter or use a lower OU for the initial deployment then you login to the two controllers stop the Openstack services then edit the file /etc/keystone.conf to remove the filter / lower OU, then restart the services one at a time.
Example edit below.
— keystone.conf 2015-12-09 15:58:24.995261389 +0000
+++ keystone.conf 2015-12-09 15:55:17.969324578 +0000
@@ -57,8 +57,8 @@
alias_dereferencing = default
debug_level = 0
chase_referrals = False
-user_tree_dn = ou=
+user_tree_dn = DC=example,DC=com
+user_filter = (!(objectClass=computer))(!(msExchResourceMetaData=ResourceType:Room))(!(userAccountControl:1.2.840.113522.214.171.1243:=2))(userPrincipalName=*)
user_objectclass = organizationalPerson
user_id_attribute = cn
user_name_attribute = userPrincipalName
Users without a UPN cause issues
The above filter is probably slightly overkill but works for me. It filters out computers, MS Exchange Rooms, Disbaled user accounts and accounts with no User Principal Name set. If you don’t at the very least filter out users without an UPN the WebGUI will fail to allow you to manage Projects etc. You will see the following error in the weblogs:
[:error] [pid 6333:tid 140267304032000] AttributeError: name
Forward Slashes in AD “cn” are BAD!!
This one was a PAIN. Basically whenever I tried to access the domain and “manage it” it errored with the message:
Error: Unable to retrieve group list. Please try again later.
When looking at the weblogs we can see the the Group “My Test Group” is url safe but is trying to reach the endpoint XXX/roles now all the other Groups in the log just tried to get to /roles. Where did the XXX come from? digging into my AD someone cleverly had named an Group “My Test Group/XXX”. Not really sure why but it seems the Values returned from AD are not being completely made safe.
[:error] [pid 2413:tid 140186385520384] DEBUG:urllib3.connectionpool:"GET /v3/domains/default/groups/My%20Test%20Group/XXX/roles HTTP/1.1" 404 93
[:error] [pid 2413:tid 140186385520384] RESP:[Wed Dec 09 09:51:17.968616 2015] [:error] [pid 2413:tid 140186385520384] Request returned failure status: 404
Other Error messages related to UPN & AD Group with “/” in the name. (Can’t recall with of them cause it but he following error was on rename of project)
Error: Failed to modify 0 project members, update project groups and update project quotas.
Error: Unable to modify project "Test".
However while the error was thrown in actuality the Project was updated so the error was purely in the the web response.