On 11/14/2013 07:37 PM, Avi L wrote:
I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and
I added a active directory user "test123" with role admin and tenant
admin successfully.
However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB,
problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP
500)
This error looks AD specific. I have not seen it from other LDAP providers.
When you do a user list, you have to authenticate to AD, which is done
via A Simple Bind. This is probably not what you want long term
(External Auth will let you use Kerberos, for example) but to start
troubleshooting, make sure you can do an ldap query against the LDAP as
the Admin user. If that works, you should be able to do a keystone
token-get with that same information.
I am not sure why it is looking at the Active Directory for
authorization? In keystone.conf I am only using ldap for the Identity
section. The credential and Assignment points to sql.
On Thu, Nov 14, 2013 at 10:17 AM, Avi L <[email protected]
<mailto:[email protected]>> wrote:
Thanks for your help. So in this case the uid parameter to
user-role-add will be any of the AD attribute that I specify in
the keystone.conf file , i.e sAMAccountname? Also I assume that in
this case there will be no entries of the user in the local sql
users table , nor would any id assigned to individual users by
keystone? Also in this case will user-list show all the users in
the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for
centOS/RHEL?
Yes, the distro you are looking for is called RDO, and it is available
from:
http://repos.fedorapeople.org/repos/openstack/openstack-havana/
and trunk
http://repos.fedorapeople.org/repos/openstack/openstack-trunk/
On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews
<[email protected] <mailto:[email protected]>> wrote:
You can assign roles to users in keystoneclient ($ keystone
help user-role-add) -- the assignment would be persisted in
SQL. openstackclient supports assignments to groups as well if
you switch to --identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L <[email protected]
<mailto:[email protected]>> wrote:
Oh ok so in this case how does the Active Directory user
gets a id , and how do you map the user to a role? Is
there any example you can point me to?
On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews
<[email protected] <mailto:[email protected]>>
wrote:
Yes, that's the preferred approach in Havana: Users
and Groups via LDAP, and everything else via SQL.
On Wednesday, November 13, 2013, Avi L wrote:
Hi,
I understand that the LDAP provider in keystone
can be used for authenticating a user (i.e
validate username and password) , and it also
authorize it against roles and tenant. However
this requires AD schema modification. Is it
possible to use AD only for authentication and
then use keystone's native database for roles and
tenant lookup? The advantage is that then we don't
need to touch the enterprise AD installation.
Thanks
Al
--
-Dolph
_______________________________________________
OpenStack-dev mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
-Dolph
_______________________________________________
OpenStack-dev mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
