Created attachment 1005036 [details] keystone.log Description of problem: against an ipa server, domains, projects, roles, etc. can all be queried without issue. when querying the user object it fails with http "500" error. Version-Release number of selected component (if applicable): openstack-keystone-2014.2.2-1.el7ost.noarch How reproducible: connect to ipa server; run query Steps to Reproduce: 1. obtain admin_token from /etc/keystone/keystone.conf 2. curl -H "x-auth-token:46a9c5eaba3049b296c9e64fa7a8eacb" http://localhost:35357/v3/users |python -mjson.tool 3. Actual results: [root@opens-vdsb keystone]# curl -H "x-auth-token:46a9c5eaba3049b296c9e64fa7a8eacb" http://localhost:35357/v3/users |python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 143 100 143 0 0 905 0 --:--:-- --:--:-- --:--:-- 910 { "error": { "code": 500, "message": "An unexpected error prevented the server from fulfilling your request.", "title": "Internal Server Error" } } [root@opens-vdsb keystone]# Expected results: return user list Additional info: logs show failure with: 2015-03-22 11:16:00.899 9681 TRACE keystone.common.wsgi SERVER_DOWN: {'desc': "Can't contact LDAP server"} * attaching keystone.log
related? https://bugzilla.redhat.com/show_bug.cgi?id=1203744
FYI this was al allinone install with this answerfile: [root@opens-vdsb ~(keystone_admin)]# cat packstack-answerfile.txt [general] CONFIG_KEYSTONE_SERVICE_NAME=httpd [root@opens-vdsb ~(keystone_admin)]#
This looks like keystone is misconfigured to contact the LDAP server. It makes sense that it would continue to work for domains, projects etc because this information is typically backed by SQL. I don't think this is related to keystone being configured by httpd or the linked bug. Can you provide the keystone.conf file?
sorry it's not available; only have one host for testing and had to rebuild it. should this occur again i will save the /etc/keystone dir.
Related to bug 1203744 - could be selinux, investigating
Tried to reproduce with packstack all-in-one with answer file (noted in bug 1203744 ). Failed to reproduce using the curl command in comment 0
From bug 1203744: no issues related to selinux doing all-in-one installation with SSL enabled for AMQP/HTTPD and keystone set to use httpd.
*** This bug has been marked as a duplicate of bug 1203744 ***
This is not a duplicate of 1203744. This is realted to configuring Keystone for LDAP.
Note: keystone didn't change - this is more likely a packstack/opm issue.
As I understand it, this happens only with keystone+LDAP when using the new httpd default for keystone.
I am able to successfully configure Keystone to use LDAP (IPA from RHEL 7.1). I am performing a packstack all-in-one install with a default generated answer file (with the exception of password changes). Keystone is running in httpd due to the new default. I am then configuring Keystone for LDAP at post-install time, just as we have always supported. The entire build of the environment is done in automation, so these results can be reproduced by using the scripts located here http://git.engineering.redhat.com/git/users/nkinder/osp-vm-factory.git/tree/rhos-ipa-setup Performing Keystone operations that hit LDAP are working just fine: ------------------------------------------------------------------------------ [rhosuser@rhos ~(keystone_admin_v3)]$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.1 (Maipo) [rhosuser@rhos ~(keystone_admin_v3)]$ rpm -q openstack-keystone openstack-keystone-2014.2.2-1.el7ost.noarch [rhosuser@rhos ~(keystone_admin_v3)]$ getenforce Enforcing [rhosuser@rhos ~(keystone_admin_v3)]$ sudo audit2allow -a [rhosuser@rhos ~(keystone_admin_v3)]$ ipa user-add --first test --last user tuser ------------------ Added user "tuser" ------------------ User login: tuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser GECOS: test user Login shell: /bin/sh Kerberos principal: tuser Email address: tuser UID: 1898600011 GID: 1898600011 Password: False Member of groups: ipausers Kerberos keys available: False [rhosuser@rhos ~(keystone_admin_v3)]$ openstack user list +------------+------------+ | ID | Name | +------------+------------+ | admin | admin | | keystone | keystone | | ceilometer | ceilometer | | cinder | cinder | | demo | demo | | glance | glance | | neutron | neutron | | nova | nova | | swift | swift | | nkinder | nkinder | | tuser | tuser | +------------+------------+ [rhosuser@rhos ~(keystone_admin_v3)]$ ------------------------------------------------------------------------------ The initial issue reported here seems to be an environment/configuration issue. I think we can close this issue as NOTABUG.