Re: [openstack-dev] Using AD for keystone authentication only
On 11/14/2013 07:37 PM, Avi L wrote:
I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and
I added a active directory user test123 with role admin and tenant
admin successfully.
However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB,
problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP
500)
This error looks AD specific. I have not seen it from other LDAP providers.
When you do a user list, you have to authenticate to AD, which is done
via A Simple Bind. This is probably not what you want long term
(External Auth will let you use Kerberos, for example) but to start
troubleshooting, make sure you can do an ldap query against the LDAP as
the Admin user. If that works, you should be able to do a keystone
token-get with that same information.
I am not sure why it is looking at the Active Directory for
authorization? In keystone.conf I am only using ldap for the Identity
section. The credential and Assignment points to sql.
On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com
mailto:aviost...@gmail.com wrote:
Thanks for your help. So in this case the uid parameter to
user-role-add will be any of the AD attribute that I specify in
the keystone.conf file , i.e sAMAccountname? Also I assume that in
this case there will be no entries of the user in the local sql
users table , nor would any id assigned to individual users by
keystone? Also in this case will user-list show all the users in
the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for
centOS/RHEL?
Yes, the distro you are looking for is called RDO, and it is available
from:
http://repos.fedorapeople.org/repos/openstack/openstack-havana/
and trunk
http://repos.fedorapeople.org/repos/openstack/openstack-trunk/
On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews
dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote:
You can assign roles to users in keystoneclient ($ keystone
help user-role-add) -- the assignment would be persisted in
SQL. openstackclient supports assignments to groups as well if
you switch to --identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com
mailto:aviost...@gmail.com wrote:
Oh ok so in this case how does the Active Directory user
gets a id , and how do you map the user to a role? Is
there any example you can point me to?
On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews
dolph.math...@gmail.com mailto:dolph.math...@gmail.com
wrote:
Yes, that's the preferred approach in Havana: Users
and Groups via LDAP, and everything else via SQL.
On Wednesday, November 13, 2013, Avi L wrote:
Hi,
I understand that the LDAP provider in keystone
can be used for authenticating a user (i.e
validate username and password) , and it also
authorize it against roles and tenant. However
this requires AD schema modification. Is it
possible to use AD only for authentication and
then use keystone's native database for roles and
tenant lookup? The advantage is that then we don't
need to touch the enterprise AD installation.
Thanks
Al
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Hi,
On Fri, Nov 15, 2013 at 2:58 PM, Adam Young ayo...@redhat.com wrote:
On 11/14/2013 07:37 PM, Avi L wrote:
I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
added a active directory user test123 with role admin and tenant admin
successfully.
However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem
5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
This error looks AD specific. I have not seen it from other LDAP providers.
When you do a user list, you have to authenticate to AD, which is done via
A Simple Bind. This is probably not what you want long term (External Auth
will let you use Kerberos, for example) but to start troubleshooting, make
sure you can do an ldap query against the LDAP as the Admin user. If that
works, you should be able to do a keystone token-get with that same
information
I can do a user list against AD using the ADMIN token , which is binding as
the AD user specified in the keystone.conf file. Using the ADMIN token I am
also giving that user a role of admin and a tenant of admin . These are
supposedly being stored in the SQL database. Now if I change my credentials
to the AD user sourcing a keystone rc file and run the token-get or
user-list command I get this error.
I am not sure why it is looking at the Active Directory for
authorization? In keystone.conf I am only using ldap for the Identity
section. The credential and Assignment points to sql.
On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com wrote:
Thanks for your help. So in this case the uid parameter to user-role-add
will be any of the AD attribute that I specify in the keystone.conf file ,
i.e sAMAccountname? Also I assume that in this case there will be no
entries of the user in the local sql users table , nor would any id
assigned to individual users by keystone? Also in this case will user-list
show all the users in the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for
centOS/RHEL?
Yes, the distro you are looking for is called RDO, and it is available
from:
http://repos.fedorapeople.org/repos/openstack/openstack-havana/
and trunk
http://repos.fedorapeople.org/repos/openstack/openstack-trunk/
On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews
dolph.math...@gmail.comwrote:
You can assign roles to users in keystoneclient ($ keystone help
user-role-add) -- the assignment would be persisted in SQL. openstackclient
supports assignments to groups as well if you switch to
--identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote:
Oh ok so in this case how does the Active Directory user gets a id ,
and how do you map the user to a role? Is there any example you can point
me to?
On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews
dolph.math...@gmail.com wrote:
Yes, that's the preferred approach in Havana: Users and Groups via
LDAP, and everything else via SQL.
On Wednesday, November 13, 2013, Avi L wrote:
Hi,
I understand that the LDAP provider in keystone can be used for
authenticating a user (i.e validate username and password) , and it also
authorize it against roles and tenant. However this requires AD schema
modification. Is it possible to use AD only for authentication and then
use
keystone's native database for roles and tenant lookup? The advantage is
that then we don't need to touch the enterprise AD installation.
Thanks
Al
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing
listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3 On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote: Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.comwrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
added a active directory user test123 with role admin and tenant admin
successfully.
However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem
5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
I am not sure why it is looking at the Active Directory for authorization?
In keystone.conf I am only using ldap for the Identity section. The
credential and Assignment points to sql.
On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com wrote:
Thanks for your help. So in this case the uid parameter to user-role-add
will be any of the AD attribute that I specify in the keystone.conf file ,
i.e sAMAccountname? Also I assume that in this case there will be no
entries of the user in the local sql users table , nor would any id
assigned to individual users by keystone? Also in this case will user-list
show all the users in the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for centOS/RHEL?
On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews dolph.math...@gmail.comwrote:
You can assign roles to users in keystoneclient ($ keystone help
user-role-add) -- the assignment would be persisted in SQL. openstackclient
supports assignments to groups as well if you switch to
--identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote:
Oh ok so in this case how does the Active Directory user gets a id , and
how do you map the user to a role? Is there any example you can point me
to?
On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews
dolph.math...@gmail.com wrote:
Yes, that's the preferred approach in Havana: Users and Groups via
LDAP, and everything else via SQL.
On Wednesday, November 13, 2013, Avi L wrote:
Hi,
I understand that the LDAP provider in keystone can be used for
authenticating a user (i.e validate username and password) , and it also
authorize it against roles and tenant. However this requires AD schema
modification. Is it possible to use AD only for authentication and then
use
keystone's native database for roles and tenant lookup? The advantage is
that then we don't need to touch the enterprise AD installation.
Thanks
Al
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Just to clarify I am running keystone user-list with keystonerc file
sourced and containing the correct credentials for test123,
On Thu, Nov 14, 2013 at 4:37 PM, Avi L aviost...@gmail.com wrote:
I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
added a active directory user test123 with role admin and tenant admin
successfully.
However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem
5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
I am not sure why it is looking at the Active Directory for authorization?
In keystone.conf I am only using ldap for the Identity section. The
credential and Assignment points to sql.
On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com wrote:
Thanks for your help. So in this case the uid parameter to user-role-add
will be any of the AD attribute that I specify in the keystone.conf file ,
i.e sAMAccountname? Also I assume that in this case there will be no
entries of the user in the local sql users table , nor would any id
assigned to individual users by keystone? Also in this case will user-list
show all the users in the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for centOS/RHEL?
On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews
dolph.math...@gmail.comwrote:
You can assign roles to users in keystoneclient ($ keystone help
user-role-add) -- the assignment would be persisted in SQL. openstackclient
supports assignments to groups as well if you switch to
--identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote:
Oh ok so in this case how does the Active Directory user gets a id ,
and how do you map the user to a role? Is there any example you can point
me to?
On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews
dolph.math...@gmail.com wrote:
Yes, that's the preferred approach in Havana: Users and Groups via
LDAP, and everything else via SQL.
On Wednesday, November 13, 2013, Avi L wrote:
Hi,
I understand that the LDAP provider in keystone can be used for
authenticating a user (i.e validate username and password) , and it also
authorize it against roles and tenant. However this requires AD schema
modification. Is it possible to use AD only for authentication and then
use
keystone's native database for roles and tenant lookup? The advantage is
that then we don't need to touch the enterprise AD installation.
Thanks
Al
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
-Dolph
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.comwrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
