Re: [openstack-dev] Keystone Split Backend LDAP Question
I have been inserting debug logging and stack traces into the code base to help
find out what is and is not happening.
· I am able to connect the LDAP backend to our Enterprise Directory
and perform a REST “get an unscoped token” from keystone. Following is the
result:
· Connection →keep-alive
· Content-Length →259
· Content-Type →application/json
· Date →Fri, 26 Jul 2013 21:49:16 GMT
· Vary →X-Auth-Token
· X-Subject-Token →cae95a17517245798acb17c47b8eb74b
{
token: {
issued_at: 2013-07-26T21:49:16.951821Z,
extras: {},
methods: [
password
],
expires_at: 2045-04-03T19:49:16.951738Z,
user: {
domain: {
id: default,
name: Default
},
id: mark.m.mil...@hp.com,
name: mark.m.mil...@hp.com
}
}
}
· When I attempt to assign a role to the user:
Ø keystone user-role-add --user mark.m.mil...@hp.com --role-id
7fb862d10b5c46679b4334eae9c73a46 --tenant-id 9798b027472d4f459d231c005977b3ac
The “identity/controllers/get_users()” method is called instead of the
“get_user_by_name()” method.
Does anyone know why or how to fix this or if what I am trying to do even works?
Regards,
Mark Miller
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: Friday, August 02, 2013 4:00 PM
To: OpenStack Development Mailing List; Adam Young (ayo...@redhat.com); Dolph
Mathews (dolph.math...@gmail.com); Yee, Guang
Subject: Re: [openstack-dev] Keystone Split Backend LDAP Question
Hello,
With some minor tweaking of the keystone common/ldap/core.py file, I have been
able to authenticate and get an unscoped token for a user from an LDAP
Enterprise Directory. I want to continue testing but I have some questions that
need to be answered before I can continue.
1. Do I need to add the user from the LDAP server to the Keystone SQL
database or will the H-2 code search the LDAP server?
2. When I performed a “keystone user-list” the following log file entries
were written indicating that keystone was attempting to get all the users on
the massive Enterprise Directory. How do we limit this query to just the one
user or group of users we are interested in?
2013-07-23 14:04:31DEBUG [keystone.common.ldap.core] LDAP bind:
dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] In get_connection 6
user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] MY query in
_ldap_get_all: ()
2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] LDAP search:
dn=ou=People,o=hp.com, scope=2, query=(), attrs=['businessCategory',
'userPassword', 'hpStatus', 'mail', 'uid']
3. Next I want to acquire a scoped token. How do I assign the LDAP user
to a local project?
Regards,
Mark Miller
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Keystone Split Backend LDAP Question
Adam,
Great suggestion. Using the v3 API I have been able to grant a project role to
an LDAP user:
mark.m.mil...@hp.com
| 9798b027472d4f459d231c005977b3ac
| {roles: [{id: 7fb862d10b5c46679b4334eae9c73a46}]}
Mark
From: Adam Young [mailto:ayo...@redhat.com]
Sent: Monday, August 05, 2013 5:29 PM
To: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Cc: OpenStack Development Mailing List; Dolph Mathews
(dolph.math...@gmail.com); Yee, Guang
Subject: Re: Keystone Split Backend LDAP Question
On 08/02/2013 06:59 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) wrote:
Hello,
With some minor tweaking of the keystone common/ldap/core.py file, I have been
able to authenticate and get an unscoped token for a user from an LDAP
Enterprise Directory. I want to continue testing but I have some questions that
need to be answered before I can continue.
1. Do I need to add the user from the LDAP server to the Keystone SQL
database or will the H-2 code search the LDAP server?
No. there is no entry in SQL for the user, only in LDAP.
2. When I performed a keystone user-list the following log file entries
were written indicating that keystone was attempting to get all the users on
the massive Enterprise Directory. How do we limit this query to just the one
user or group of users we are interested in?
2013-07-23 14:04:31DEBUG [keystone.common.ldap.core] LDAP bind:
dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] In get_connection 6
user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] MY query in
_ldap_get_all: ()
2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] LDAP search:
dn=ou=People,o=hp.com, scope=2, query=(), attrs=['businessCategory',
'userPassword', 'hpStatus', 'mail', 'uid']
I think this bug is filed here:
https://bugs.launchpad.net/keystone/+bug/1205150
I've grabbed it/
3. Next I want to acquire a scoped token. How do I assign the LDAP user to
a local project?
Use hte normal Keystone api for that. THe project and assignments all happed
in the SQL backend.
Regards,
Mark Miller
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Keystone Split Backend LDAP Question
2. I have a bug open on this problem: https://bugs.launchpad.net/keystone/+bug/1205150 On Fri, Aug 2, 2013 at 3:59 PM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, ** ** With some minor tweaking of the keystone common/ldap/core.py file, I have been able to authenticate and get an unscoped token for a user from an LDAP Enterprise Directory. I want to continue testing but I have some questions that need to be answered before I can continue. ** ** **1. **Do I need to add the user from the LDAP server to the Keystone SQL database or will the H-2 code search the LDAP server? **2. **When I performed a “keystone user-list” the following log file entries were written indicating that keystone was attempting to get all the users on the massive Enterprise Directory. How do we limit this query to just the one user or group of users we are interested in? ** ** 2013-07-23 14:04:31DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com 2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] In get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com 2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] MY query in _ldap_get_all: () 2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=People,o=hp.com, scope=2, query=(), attrs=['businessCategory', 'userPassword', 'hpStatus', 'mail', 'uid'] **3. **Next I want to acquire a scoped token. How do I assign the LDAP user to a local project? ** ** Regards, ** ** Mark Miller ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Keystone Split Backend LDAP Question
Hello, With some minor tweaking of the keystone common/ldap/core.py file, I have been able to authenticate and get an unscoped token for a user from an LDAP Enterprise Directory. I want to continue testing but I have some questions that need to be answered before I can continue. 1. Do I need to add the user from the LDAP server to the Keystone SQL database or will the H-2 code search the LDAP server? 2. When I performed a keystone user-list the following log file entries were written indicating that keystone was attempting to get all the users on the massive Enterprise Directory. How do we limit this query to just the one user or group of users we are interested in? 2013-07-23 14:04:31DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com 2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] In get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com 2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] MY query in _ldap_get_all: () 2013-07-23 14:04:32DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=People,o=hp.com, scope=2, query=(), attrs=['businessCategory', 'userPassword', 'hpStatus', 'mail', 'uid'] 3. Next I want to acquire a scoped token. How do I assign the LDAP user to a local project? Regards, Mark Miller ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
