I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
added a active directory user "test123" with role admin and tenant admin
successfully.
However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem
5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
I am not sure why it is looking at the Active Directory for authorization?
In keystone.conf I am only using ldap for the Identity section. The
credential and Assignment points to sql.
On Thu, Nov 14, 2013 at 10:17 AM, Avi L <[email protected]> wrote:
> Thanks for your help. So in this case the uid parameter to user-role-add
> will be any of the AD attribute that I specify in the keystone.conf file ,
> i.e sAMAccountname? Also I assume that in this case there will be no
> entries of the user in the local sql users table , nor would any id
> assigned to individual users by keystone? Also in this case will user-list
> show all the users in the Active Directory under the user tree?
>
> BTW is there a rpm available for havana keystone release for centOS/RHEL?
>
>
> On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <[email protected]>wrote:
>
>> You can assign roles to users in keystoneclient ($ keystone help
>> user-role-add) -- the assignment would be persisted in SQL. openstackclient
>> supports assignments to groups as well if you switch to
>> --identity-api-version=3
>>
>> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <[email protected]> wrote:
>>
>>> Oh ok so in this case how does the Active Directory user gets a id , and
>>> how do you map the user to a role? Is there any example you can point me
>>> to?
>>>
>>>
>>> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <
>>> [email protected]> wrote:
>>>
>>>> Yes, that's the preferred approach in Havana: Users and Groups via
>>>> LDAP, and everything else via SQL.
>>>>
>>>>
>>>> On Wednesday, November 13, 2013, Avi L wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I understand that the LDAP provider in keystone can be used for
>>>>> authenticating a user (i.e validate username and password) , and it also
>>>>> authorize it against roles and tenant. However this requires AD schema
>>>>> modification. Is it possible to use AD only for authentication and then
>>>>> use
>>>>> keystone's native database for roles and tenant lookup? The advantage is
>>>>> that then we don't need to touch the enterprise AD installation.
>>>>>
>>>>> Thanks
>>>>> Al
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> -Dolph
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> [email protected]
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> [email protected]
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>>
>> -Dolph
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> [email protected]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
