I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I added a active directory user "test123" with role admin and tenant admin successfully.
However when I run keystone user-list if gives me the following error: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500) I am not sure why it is looking at the Active Directory for authorization? In keystone.conf I am only using ldap for the Identity section. The credential and Assignment points to sql. On Thu, Nov 14, 2013 at 10:17 AM, Avi L <aviost...@gmail.com> wrote: > Thanks for your help. So in this case the uid parameter to user-role-add > will be any of the AD attribute that I specify in the keystone.conf file , > i.e sAMAccountname? Also I assume that in this case there will be no > entries of the user in the local sql users table , nor would any id > assigned to individual users by keystone? Also in this case will user-list > show all the users in the Active Directory under the user tree? > > BTW is there a rpm available for havana keystone release for centOS/RHEL? > > > On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.math...@gmail.com>wrote: > >> You can assign roles to users in keystoneclient ($ keystone help >> user-role-add) -- the assignment would be persisted in SQL. openstackclient >> supports assignments to groups as well if you switch to >> --identity-api-version=3 >> >> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviost...@gmail.com> wrote: >> >>> Oh ok so in this case how does the Active Directory user gets a id , and >>> how do you map the user to a role? Is there any example you can point me >>> to? >>> >>> >>> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews < >>> dolph.math...@gmail.com> wrote: >>> >>>> Yes, that's the preferred approach in Havana: Users and Groups via >>>> LDAP, and everything else via SQL. >>>> >>>> >>>> On Wednesday, November 13, 2013, Avi L wrote: >>>> >>>>> Hi, >>>>> >>>>> I understand that the LDAP provider in keystone can be used for >>>>> authenticating a user (i.e validate username and password) , and it also >>>>> authorize it against roles and tenant. However this requires AD schema >>>>> modification. Is it possible to use AD only for authentication and then >>>>> use >>>>> keystone's native database for roles and tenant lookup? The advantage is >>>>> that then we don't need to touch the enterprise AD installation. >>>>> >>>>> Thanks >>>>> Al >>>>> >>>> >>>> >>>> -- >>>> >>>> -Dolph >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> OpenStack-dev@lists.openstack.org >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> >> -- >> >> -Dolph >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev