On 08/02/2013 06:59 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
Hello,
With some minor tweaking of the keystone common/ldap/core.py file, I
have been able to authenticate and get an unscoped token for a user
from an LDAP Enterprise Directory. I want to continue testing but I
have some questions that need to be answered before I can continue.
1.Do I need to add the user from the LDAP server to the Keystone SQL
database or will the H-2 code search the LDAP server?
No. there is no entry in SQL for the user, only in LDAP.
2.When I performed a "keystone user-list" the following log file
entries were written indicating that keystone was attempting to get
all the users on the massive Enterprise Directory. How do we limit
this query to just the one user or group of users we are interested in?
2013-07-23 14:04:31 DEBUG [keystone.common.ldap.core] LDAP bind:
dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] In
get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] MY query in
_ldap_get_all: (&)
2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] LDAP search:
dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory',
'userPassword', 'hpStatus', 'mail', 'uid']
I think this bug is filed here:
https://bugs.launchpad.net/keystone/+bug/1205150
I've grabbed it/
3.Next I want to acquire a scoped token. How do I assign the LDAP user
to a local project?
Use hte normal Keystone api for that. THe project and assignments all
happed in the SQL backend.
Regards,
Mark Miller
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
