On 11/15/2013 07:39 PM, Avi L wrote:
ADMIN Token does no authentication against the back end. It is a bootstrap method for setting up Keystone, nothing else. It should be disabled as soon as you can authenticate via AD.However when I run keystone user-list if gives me the following error: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)This error looks AD specific. I have not seen it from other LDAP providers. When you do a user list, you have to authenticate to AD, which is done via A Simple Bind. This is probably not what you want long term (External Auth will let you use Kerberos, for example) but to start troubleshooting, make sure you can do an ldap query against the LDAP as the Admin user. If that works, you should be able to do a keystone token-get with that same informationI can do a user list against AD using the ADMIN token , which is binding as the AD user specified in the keystone.conf file. Using the ADMIN token I am also giving that user a role of admin and a tenant of admin . These are supposedly being stored in the SQL database. Now if I change my credentials to the AD user sourcing a keystone rc file and run the token-get or user-list command I get this error.
I don't think you have successfully authenticated against AD.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
