Just to clarify I am running keystone user-list with keystonerc file sourced and containing the correct credentials for test123,
On Thu, Nov 14, 2013 at 4:37 PM, Avi L <[email protected]> wrote: > I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I > added a active directory user "test123" with role admin and tenant admin > successfully. > > However when I run keystone user-list if gives me the following error: > Authorization Failed: An unexpected error prevented the server from > fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem > 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500) > > I am not sure why it is looking at the Active Directory for authorization? > In keystone.conf I am only using ldap for the Identity section. The > credential and Assignment points to sql. > > > On Thu, Nov 14, 2013 at 10:17 AM, Avi L <[email protected]> wrote: > >> Thanks for your help. So in this case the uid parameter to user-role-add >> will be any of the AD attribute that I specify in the keystone.conf file , >> i.e sAMAccountname? Also I assume that in this case there will be no >> entries of the user in the local sql users table , nor would any id >> assigned to individual users by keystone? Also in this case will user-list >> show all the users in the Active Directory under the user tree? >> >> BTW is there a rpm available for havana keystone release for centOS/RHEL? >> >> >> On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews >> <[email protected]>wrote: >> >>> You can assign roles to users in keystoneclient ($ keystone help >>> user-role-add) -- the assignment would be persisted in SQL. openstackclient >>> supports assignments to groups as well if you switch to >>> --identity-api-version=3 >>> >>> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <[email protected]> wrote: >>> >>>> Oh ok so in this case how does the Active Directory user gets a id , >>>> and how do you map the user to a role? Is there any example you can point >>>> me to? >>>> >>>> >>>> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews < >>>> [email protected]> wrote: >>>> >>>>> Yes, that's the preferred approach in Havana: Users and Groups via >>>>> LDAP, and everything else via SQL. >>>>> >>>>> >>>>> On Wednesday, November 13, 2013, Avi L wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I understand that the LDAP provider in keystone can be used for >>>>>> authenticating a user (i.e validate username and password) , and it also >>>>>> authorize it against roles and tenant. However this requires AD schema >>>>>> modification. Is it possible to use AD only for authentication and then >>>>>> use >>>>>> keystone's native database for roles and tenant lookup? The advantage is >>>>>> that then we don't need to touch the enterprise AD installation. >>>>>> >>>>>> Thanks >>>>>> Al >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> -Dolph >>>>> >>>>> _______________________________________________ >>>>> OpenStack-dev mailing list >>>>> [email protected] >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> [email protected] >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>> >>> >>> -- >>> >>> -Dolph >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
