Hi, By setting the following one can limit the number of users shown (see also https://bugs.launchpad.net/keystone/+bug/1501698 which shows the commit earlier this year to include that feature)
[identity] list_limit = 50 The efficiency of the query for getting users can be improved by the following (see http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx for very useful ldap queries for AD) user_filter=(objectCategory=person) user_objectclass=user so now when one goes to horizon/identity/domains/ in the browser and then selects “manage members” from the dropdown for the LDAP domain, a list of 50 users pops up (and there are no errors such as SIZELIMIT_EXCEEDED). The problem: One can see 50 users and search for a user within that list, however one cannot search for others users ☹. Domain Groups have the same limitation. This looks like a limitation in Horizon, ah found this bug report https://bugs.launchpad.net/horizon/+bug/1496045 To me it looks like support for LDAP paging needs to be added http://jeftek.com/219/avoid-changing-the-maxpagesize-ldap-query-policy ? Any suggestions on a workaround? - Is there a way on the command line or API, perhaps, to assign an individual user or group from LDAP to a group such as _member_? i.e. without pulling down the complete list? Regards, Sean. On 02/08/16 18:20, "Boran Sean, INI-INO-SWD" <[email protected]> wrote: Hi, So I logged in as admin/default, then switched to the ldap domain(horizon/identity/domains/), added a role. Next try to add a user to that role (/horizon/identity/users), but “Unable to retrieve user list”. In /var/log/user.log I see LDAP bind: who=cn=bind-user,dc=example,dc=net <14>Aug 2 16:12:45 node-16 admin: 2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0 2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0 If the ldap query “(&(objectClass=person)(cn=*))” is run through the CLI ldapsearch, it does return a long list of thousands of users. Ah, just noticed /var/log/keystone/admin.log 2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call 2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi result = func(*args,**kwargs) 2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi SIZELIMIT_EXCEEDED: {'desc': 'Size limit exceeded'} I wonder if there is a way for the UI to only fetch the first 100 users, or not to fetch any list, but just one by one? Thanks, Sean On 02/08/16 17:46, "Alexander Makarov" <[email protected]> wrote: Sean, the problem may be in the following: in Mitaka release keystone requires user to have a role in the domain it's getting authZ'ing in. We ran into the problem when Horizon tried to authZ user in Default domain and got the same error. On 02.08.2016 16:25, [email protected] wrote: > Hi, > > I’m having a bit of fun try to use AD for identifying and authorising Users > on Openstack . > The idea is to use AD for read-only access to users/group definitions, but > all authorisation data to be stored in SQL. > > What works: Users can be authenticated (LDAP bind works, verification of the > user), but not yet authorised – one gets "You are not authorized for any > projects or domains" after authentication (integration of groups). > On the command line with ldapsearch, users and groups can be listed (so the > attributes configured should be ok?) > > Problems when testing with horizon: > - Login via ldap fails on authorization > - If logged in as admin in the default (sql) domain, the LDAP domain can be > viewed at /horizon/identity/domains/ but users and groups cannot be managed > “Unable to retrieve group list”, “Unable to retrieve user list” > This may also be since the AD contains about 20’000 users (too much data for > the user/group management screen) > > The /etc/keystone/domains/keystone.example.com is as follows. > > [ldap] > user_enabled_attribute=userAccountControl > query_scope=sub > user_filter= > group_allow_delete=False > page_size=0 > use_tls=False > password=NOT_HERE > user_allow_update=False > user_id_attribute=cn > user_enabled_mask=2 > suffix= dc=example,dc=com > user_enabled_default=512 > group_allow_update=False > user_name_attribute=sAMAccountName > chase_referrals=False > group_allow_create=False > user_allow_delete=False > > group_name_attribute=cn > group_filter= > group_member_attribute=member > group_tree_dn=dc=example,dc=com > group_objectclass = group > group_desc_attribute= > group_id_attribute= > > user_pass_attribute=userPassword > user=cn=my-service-user > user_allow_create=False > user_tree_dn=dc=example,dc=com > url=ldap://ldap.example.com > user_objectclass=person > > [identity] > driver=keystone.identity.backends.ldap.Identity > > Debugging for ldap was enabled to see the ldap bins/queries being sent out. > > Versions: > keystone –version shows 2.3 > Mikata (with initial install done by Fuel). > > Resources consulted so far: > http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider > http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html > Book: openstack production recipies. > Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused > there. > > Questions: > - Are there any good resources out there for AD integration? E.g. How > user/group/roles work within an ldap context? > - Or tips on he above? > - How can one assign users from LDAP to the _members_ or admin groups to get > started? > > Thanks in advance, > > Sean > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
