No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI CLOUD Stack 6.5.0 Alarm and Event Reference 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ALM-70001 Connection to the LDAP Server Failed

ALM-70001 Connection to the LDAP Server Failed

Description

The system periodically checks the connectivity between the Keystone service and the Lightweight Directory Access Protocol (LDAP) server. This alarm is generated when the connection setup fails.

Attribute

Alarm ID

Alarm Severity

Auto Clear

70001

Major

Yes

Parameters

Name

Meaning

Fault Location Info

host_id: specifies the ID of the host for which the alarm is generated.

Additional Info

  • detail_info: provides detailed information about the alarm.
  • host_id: specifies the ID of the host for which the alarm is generated.
  • hostname: specifies the name of the host for which the alarm is generated.

Impact on the System

If Keystone fails to connect to the LDAP server using the provided LDAP URL, username, and password, Keystone cannot query and use user information stored on the LDAP server.

Possible Causes

  • The LDAP URL, username, or password is not configured
  • The configured LDAP URL, username, or password is incorrect.
  • The network between the Keystone host and the LDAP server is unreachable.
  • The certificate used for connecting to the LDAP over SSL (LDAPS)-based AD server is unavailable.

Procedure

  1. Use PuTTY to log in to the first FusionSphere OpenStack node through the IP address of the External OM plane.

    The default user name is fsp. The default password is Huawei@CLOUD8.

    The system supports both password and public-private key pair for identity authentication. If the public-private key pair is used for login authentication, see detailed operations in Using PuTTY to Log In to a Node in Key Pair Authentication Mode.

    NOTE:
    To obtain the IP address of the External OM plane, search for the required parameter on the Tool-generated IP Parameters sheet of the xxx_export_all.xlsm file exported from HUAWEI CLOUD Stack Deploy during software installation. The parameter names in different scenarios are as follows:
    • Region Type I scenario:

      Cascading system: Cascading-ExternalOM-Reverse-Proxy

      Cascaded system: Cascaded-ExternalOM-Reverse-Proxy

    • Region Type II and Region Type III scenarios: ExternalOM-Reverse-Proxy

  2. Run the following command and enter the password of user root to switch to user root:

    su - root

    The default password of user root is Huawei@CLOUD8!.

  3. Run the following command to disable user logout upon system timeout:

    TMOUT=0

  4. Import environment variables. For details, see Importing Environment Variables.
  5. Run the cps template-instance-list --service keystone keystone command to check whether the alarm is generated for the host running the Keystone service.

    • If yes, go to 7.
    • If no, go to 6.

  6. Manually clear the alarm. If the alarm is generated for the host that does not run the current Keystone service, the Keystone service has been migrated offline, and the alarm cannot be automatically cleared. However, this alarm has no adverse impacts on the current Keystone service, and you can manually clear it.
  7. Perform the required operation based on the alarm cause described in the alarm additional information.

    • If the LDAP URL is not configured, go to 9.
    • If the LDAP username or password is not configured, go to 10.
    • If the LDAP server is unreachable, go to 8.
    • If the configured LDAP username or password is incorrect, go to 10.
    • If "Can not contact LDAP server" is displayed in Additional Info and the protocol used by the connected AD server is changed from LDAP to LDAPS, go to 11.

  8. Run the cps template-params-show --service keystone keystone command to check whether the keystone ldap_url value configured for the LDAP server is correct.

    • If yes, the network between the host and the LDAP server is unreachable. Troubleshoot the connectivity issue and then go to 12.
    • If no, go to 9.

  9. Run the cps template-params-update --service keystone keystone --parameter ldap_url=$ldap_url command to configure the correct URL of the LDAP server ($ldap_url indicates the actual URL of the LDAP server). Then, run the cps commit command to submit the configuration and go to 12.
  10. Perform the following operations to configure the correct username and password for the LDAP server:

    1. Run the following command to enter the secure operation mode:

      cpssafe

      Information similar to the following is displayed:

       
        please choose environment variable which you want to import: 
        (1) openstack environment variable (keystone v3) 
        (2) cps environment variable 
        (3) openstack environment variable legacy (keystone v2) 
        please choose:[1|2|3]
    2. Enter 1 to enable Keystone V3 authentication.

      Information similar to the following is displayed:

      Input command:
    3. Run the following command:

      cps template-params-update --service keystone keystone --parameter ldap_user=$ldap_user ldap_password=$ldap_password

      Enter the correct LDAP username and password ($ldap_user indicates the LDAP username and $ldap_password indicates the LDAP password), and press Enter. If no exception information is displayed, run the cpssafe command again and enter 1. Information similar to the following is displayed:

      Input command:

      Enter and run the following command:

      cps commit

      Go to 12.

  11. Verify whether the configured certificate is available.

    1. Copy the certificate content to a temporary file (for example, named ldap.crt).
    2. Run the following command:

      openssl s_client -connect $ldap_address:$ldaps_port -CAfile ldap.crt

      $ldap_address and $ldaps_port can be obtained from the keystone ldap_url value queried by running the cps template-params-show --service keystone keystone command. For example, if the keystone ldap_url value is ldaps://NMSserver.test.com, the $ldap_address value is NMSserver.test.com, and the $ldaps_port value is the port specified in the URL. If the port is not specified, port 636 is used by default.

      ldap.crt indicates the temporary certificate file saved in 11.a.

      The command output contains server certificate information:

      CONNECTED
      ...
      ...
      ...
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIELDCCAxSgAwIBAgIRdhs0KyZh2aLKHYpP0ms8XfUwDQYJKoZIhvcNAQELBQAw
      czELMAkGA1UEBhMCQ04xDzANBgNVBAoTBkh1YXdlaTEmMCQGA1UECxMdV2lyZWxl
      c3MgTmV0d29yayBQcm9kdWN0IExpbmUxKzApBgNVBAMTIkh1YXdlaSBXaXJlbGVz
      cyBOZXR3b3JrIFByb2R1Y3QgQ0EwHhcNMTUxMjEwMDEyMTIxWhcNMjUxMjA3MDEy
      MTIxWjAmMSQwIgYDVQQDExtDbG91ZE9wZXJhIE9yY2hlc3RyYXRvci1ORlYwggEi
      MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDin1/fJeQxAQdlfo54C1oTJCnX
      pRuQg6OycSV/L8ev7U/TSHicgXjm4YTaFAAzT1NNBvx+Y+fhyq9q1Wad3QNLCTCj
      GuyN+7iIQr2jG0Kbp7DsI0lls7+pdV+Ns78cdQUm1fo+W8v+nYqla4gBRZuqSjMg
      rpif7Q5vyjCT8krHQbz+DKMjnzMP9MweGiWPwbwBY2923l0By7kcMABFCDU4pii3
      jS2g4Y1Qvg2cQodb5BxkeuQ2zrMzP9zC/kezrEX8ONzqsnxBBCvrl4hcFc5Ki14+
      NK8S7IWuTc2YSJ5zC1voj7HIw80urcVPoZPA4rimGC2hl+gb3fW7shMjMAcTAgMB
      AAGjggEGMIIBAjAfBgNVHSMEGDAWgBRecBfcb6QHSAM3h/49tMcg1ja40DBhBgNV
      HSAEWjBYMFYGBFUdIAAwTjBMBggrBgEFBQcCARZAaHR0cDovL3d3dy5zdXBwb3J0
      Lmh1YXdlaS5jb20vcGtpL3JlcG9zaXRvcnkvSHV3ZWlFcXVpbWVudENBLmNwczAJ
      BgNVHRMEAjAAMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9zdXBwb3J0Lmh1YXdl
      aS5jb20vc3VwcG9ydC9wa2kvY3JsMjkxNS5jcmwwDgYDVR0PAQH/BAQDAgP4MB0G
      A1UdDgQWBBT7Rxj5sK4k6MylnHwEWyBfDgR1JTANBgkqhkiG9w0BAQsFAAOCAQEA
      W0PFm88wquPrzFByR69ltUoh5RGywvCXECGW+1XRwAPPuZk8tcdp3WACfRmDcXIm
      cF1XaNxT3brEDEhXts06YEjN07P1wVLngNG/9GQMtz73C7YpoUui2r0sjcVeIUo0
      GGimcmFcxiam0lUGZw3WkgtKRAf2DieFix9dbktlg2tXxB127AL8MplU7eWh37l4
      q37/IKWFNpx17YYf62fMLhDrNMB8HGi0Mf5FNhwjLxBzQdTGM0S/nTdhVNR2fLjq
      J3s9tDB9vfY3fJ6TXTGgNLtsSWNs0DHci9RN8mCHVz+iORLcxQ5QMT8Ni06Wnlpz
      1sPBtLLrKgLnsNUnmA8faw==
      -----END CERTIFICATE-----
      ...
      ...
      ...
    3. Run the vi command to create a temporary file, such as server.crt, and copy the server certificate content to the file.
    4. Run the following command to verify whether the certificate configured on the local PC is available.

      openssl verify -verbose -CAfile $ldap.crt $server.crt

      $ldap.crt indicates the temporary certificate file created in 11.a. $server.crt indicates the temporary server certificate file created in 11.c.

      If the command output contains "OK", the certificate configured on the local PC passes the verification. In this case, go to 12. Information similar to the following is displayed:

      server.crt: C = CN, O = Huawei, CN = Huawei Equipment CA
      error 18 at 0 depth lookup:self signed certificate
      OK

      Otherwise, the used certificate does not pass the verification. In this case, contact the AD administrator or see the Microsoft online help to obtain the correct public key certificate.

  12. After 1 to 2 minutes, check whether the alarm is cleared.

    • If yes, no further action is required.
    • If no, go to 7 to perform the check again.

Related Information

None

Translation
Download
Updated: 2019-08-30

Document ID: EDOC1100062365

Views: 47889

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next