Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-07 Thread Кирилл Беспалов 
Hi, Pavlo.

Looks like it's not just project/domain UUID should be equal, but also
audit_id, endpoints_id, protocol_id, roles_id and many other entities.
So, looks like it is not possible to implement this using current code
base, but I could be wrong.

You can take a look at mapped auth plugin [1] in order to investigate what
exactly should be the same (ids).


Thanks.


[1]
https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/mapped.py#L37

On Thu, Dec 7, 2017 at 7:37 PM, Pavlo Shchelokovskyy <
pshchelokovs...@mirantis.com> wrote:

> Hi all,
>
> We have a following use case - several independent keystones (say KeyA and
> KeyB), using fernet tokens and synchronized fernet keys, and single
> external IdP for federated auth.
>
> Is it generally possible to configure both KeyA and KeyB such that scoped
> token issued by KeyA for a federated user is valid on KeyB?
>
> Currently we have the next problem - although domains/projects where
> keystone's mapping engine assigns federated users are equal by name between
> KeyA and KeyB, the UUIDs of projects/domains in KeyA and KeyB  are
> different, which seems to invalidate the scoped token issued by KeyA when
> trying to use it for KeyB. And it is not possible to create
> projects/domains with specific UUIDs via keystone API (which would probably
> solve this problem for non-autoprovisioned projects).
>
> Is such usage scenario supported? Or one should always use the unscoped
> token first to list projects/domains available on a specific keystone
> instance and then get a scoped token for usage o this instance only?
>
> Best regards,
> --
> Dr. Pavlo Shchelokovskyy
> Senior Software Engineer
> Mirantis Inc
> www.mirantis.com
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Integrate Identity with LDAP

2017-04-17 Thread Кирилл Беспалов 
Hi! Seems you are faced with the bug:
https://bugs.launchpad.net/keystone/+bug/1662762
Please make sure that Keystone already has the fix -
https://review.openstack.org/#/c/437402/

2017-04-17 6:56 GMT+03:00 Chason Chan :
> Hi team,
>
> I am trying to integrate Identity (Ocata Release) with LDAP. Afer I
> following  this page:
> https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/integrate_with_identity_service/sec-active-directory
>
> I failed to log in to the dashboard by entering their AD DS username and
> password.
>
> This is my "keystone.log" show: http://paste.openstack.org/show/606862/
>
> Please tell me how can I fix it.
>
> --
> Regards,
> Chason Chan
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev