Re: [openstack-dev] Keystone Split Backend LDAP Question

[Miller, Mark M (EB SW Cloud - R&D - Corvallis)]

I have been inserting debug logging and stack traces into the code base to help 
find out what is and is not happening.


·         I am able to connect  the LDAP backend to our Enterprise Directory 
and perform a REST “get an unscoped token” from keystone. Following is the 
result:
·         Connection →keep-alive
·         Content-Length →259
·         Content-Type →application/json
·         Date →Fri, 26 Jul 2013 21:49:16 GMT
·         Vary →X-Auth-Token
·         X-Subject-Token →cae95a17517245798acb17c47b8eb74b

{
    "token": {
        "issued_at": "2013-07-26T21:49:16.951821Z",
        "extras": {},
        "methods": [
            "password"
        ],
        "expires_at": "2045-04-03T19:49:16.951738Z",
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            },
            "id": "mark.m.mil...@hp.com",
            "name": "mark.m.mil...@hp.com"
        }
    }
}

·         When I attempt to assign a role to the user:


Ø  keystone user-role-add --user "mark.m.mil...@hp.com" --role-id 
7fb862d10b5c46679b4334eae9c73a46 --tenant-id 9798b027472d4f459d231c005977b3ac

The “identity/controllers/get_users()” method is called instead of the 
“get_user_by_name()” method.


Does anyone know why or how to fix this or if what I am trying to do even works?

Regards,

Mark Miller


From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Friday, August 02, 2013 4:00 PM
To: OpenStack Development Mailing List; Adam Young (ayo...@redhat.com); Dolph 
Mathews (dolph.math...@gmail.com); Yee, Guang
Subject: Re: [openstack-dev] Keystone Split Backend LDAP Question

Hello,

With some minor tweaking of the keystone common/ldap/core.py file, I have been 
able to authenticate and get an unscoped token for a user from an LDAP 
Enterprise Directory. I want to continue testing but I have some questions that 
need to be answered before I can continue.


1.       Do I need to add the user from the LDAP server to the Keystone SQL 
database or will the H-2 code search the LDAP server?

2.       When I performed a “keystone user-list” the following log file entries 
were written indicating that keystone was attempting to get all the users on 
the massive Enterprise Directory. How do we limit this query to just the one 
user or group of users we are interested in?

2013-07-23 14:04:31    DEBUG [keystone.common.ldap.core] LDAP bind: 
dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] In get_connection 6 
user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] MY query in 
_ldap_get_all: (&)
  2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] LDAP search: 
dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory', 
'userPassword', 'hpStatus', 'mail', 'uid']

3.       Next I want to acquire a scoped token. How do I assign the LDAP user 
to a local project?

Regards,

Mark Miller

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev