On 11/15/2013 07:39 PM, Avi L wrote:
However when I run keystone user-list if gives me the following
error:
Authorization Failed: An unexpected error prevented the server
from fulfilling your request. {'info': '000020D6: SvcErr:
DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc':
'Operations error'} (HTTP 500)
This error looks AD specific. I have not seen it from other LDAP
providers.
When you do a user list, you have to authenticate to AD, which is
done via A Simple Bind. This is probably not what you want long
term (External Auth will let you use Kerberos, for example) but to
start troubleshooting, make sure you can do an ldap query against
the LDAP as the Admin user. If that works, you should be able to
do a keystone token-get with that same information
I can do a user list against AD using the ADMIN token , which is
binding as the AD user specified in the keystone.conf file. Using the
ADMIN token I am also giving that user a role of admin and a tenant of
admin . These are supposedly being stored in the SQL database. Now if
I change my credentials to the AD user sourcing a keystone rc file and
run the token-get or user-list command I get this error.
ADMIN Token does no authentication against the back end. It is a
bootstrap method for setting up Keystone, nothing else. It should be
disabled as soon as you can authenticate via AD.
I don't think you have successfully authenticated against AD.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev