Bug 1204460

related?  https://bugzilla.redhat.com/show_bug.cgi?id=1203744

FYI this was al allinone install with this answerfile:

[root@opens-vdsb ~(keystone_admin)]# cat packstack-answerfile.txt 
[general]
CONFIG_KEYSTONE_SERVICE_NAME=httpd
[root@opens-vdsb ~(keystone_admin)]#

This looks like keystone is misconfigured to contact the LDAP server. It makes sense that it would continue to work for domains, projects etc because this information is typically backed by SQL.

I don't think this is related to keystone being configured by httpd or the linked bug.

Can you provide the keystone.conf file?

sorry it's not available; only have one host for testing and had to rebuild it.

should this occur again i will save the /etc/keystone dir.

Related to bug 1203744 - could be selinux, investigating

Tried to reproduce with packstack all-in-one with answer file (noted in bug 1203744 ).  Failed to reproduce using the curl command in comment 0

From bug 1203744: no issues related to selinux doing all-in-one installation with SSL enabled for AMQP/HTTPD and keystone set to use httpd.

*** This bug has been marked as a duplicate of bug 1203744 ***

This is not a duplicate of 1203744.  This is realted to configuring Keystone for LDAP.

Note: keystone didn't change - this is more likely a packstack/opm issue.

As I understand it, this happens only with keystone+LDAP when using the new httpd default for keystone.

I am able to successfully configure Keystone to use LDAP (IPA from RHEL 7.1).  I am performing a packstack all-in-one install with a default generated answer file (with the exception of password changes).  Keystone is running in httpd due to the new default.  I am then configuring Keystone for LDAP at post-install time, just as we have always supported.  The entire build of the environment is done in automation, so these results can be reproduced by using the scripts located here

  http://git.engineering.redhat.com/git/users/nkinder/osp-vm-factory.git/tree/rhos-ipa-setup

Performing Keystone operations that hit LDAP are working just fine:

------------------------------------------------------------------------------
[rhosuser@rhos ~(keystone_admin_v3)]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)
[rhosuser@rhos ~(keystone_admin_v3)]$ rpm -q openstack-keystone
openstack-keystone-2014.2.2-1.el7ost.noarch
[rhosuser@rhos ~(keystone_admin_v3)]$ getenforce
Enforcing
[rhosuser@rhos ~(keystone_admin_v3)]$ sudo audit2allow -a



[rhosuser@rhos ~(keystone_admin_v3)]$ ipa user-add --first test --last user tuser
------------------
Added user "tuser"
------------------
  User login: tuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/tuser
  GECOS: test user
  Login shell: /bin/sh
  Kerberos principal: tuser
  Email address: tuser
  UID: 1898600011
  GID: 1898600011
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[rhosuser@rhos ~(keystone_admin_v3)]$ openstack user list
+------------+------------+
| ID         | Name       |
+------------+------------+
| admin      | admin      |
| keystone   | keystone   |
| ceilometer | ceilometer |
| cinder     | cinder     |
| demo       | demo       |
| glance     | glance     |
| neutron    | neutron    |
| nova       | nova       |
| swift      | swift      |
| nkinder    | nkinder    |
| tuser      | tuser      |
+------------+------------+
[rhosuser@rhos ~(keystone_admin_v3)]$
------------------------------------------------------------------------------

The initial issue reported here seems to be an environment/configuration issue.  I think we can close this issue as NOTABUG.