Re: [openstack-dev] Using AD for keystone authentication only
On 11/14/2013 07:37 PM, Avi L wrote: I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I added a active directory user test123 with role admin and tenant admin successfully. However when I run keystone user-list if gives me the following error: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500) This error looks AD specific. I have not seen it from other LDAP providers. When you do a user list, you have to authenticate to AD, which is done via A Simple Bind. This is probably not what you want long term (External Auth will let you use Kerberos, for example) but to start troubleshooting, make sure you can do an ldap query against the LDAP as the Admin user. If that works, you should be able to do a keystone token-get with that same information. I am not sure why it is looking at the Active Directory for authorization? In keystone.conf I am only using ldap for the Identity section. The credential and Assignment points to sql. On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com mailto:aviost...@gmail.com wrote: Thanks for your help. So in this case the uid parameter to user-role-add will be any of the AD attribute that I specify in the keystone.conf file , i.e sAMAccountname? Also I assume that in this case there will be no entries of the user in the local sql users table , nor would any id assigned to individual users by keystone? Also in this case will user-list show all the users in the Active Directory under the user tree? BTW is there a rpm available for havana keystone release for centOS/RHEL? Yes, the distro you are looking for is called RDO, and it is available from: http://repos.fedorapeople.org/repos/openstack/openstack-havana/ and trunk http://repos.fedorapeople.org/repos/openstack/openstack-trunk/ On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote: You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3 On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com mailto:aviost...@gmail.com wrote: Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org mailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org mailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org mailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Hi, On Fri, Nov 15, 2013 at 2:58 PM, Adam Young ayo...@redhat.com wrote: On 11/14/2013 07:37 PM, Avi L wrote: I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I added a active directory user test123 with role admin and tenant admin successfully. However when I run keystone user-list if gives me the following error: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500) This error looks AD specific. I have not seen it from other LDAP providers. When you do a user list, you have to authenticate to AD, which is done via A Simple Bind. This is probably not what you want long term (External Auth will let you use Kerberos, for example) but to start troubleshooting, make sure you can do an ldap query against the LDAP as the Admin user. If that works, you should be able to do a keystone token-get with that same information I can do a user list against AD using the ADMIN token , which is binding as the AD user specified in the keystone.conf file. Using the ADMIN token I am also giving that user a role of admin and a tenant of admin . These are supposedly being stored in the SQL database. Now if I change my credentials to the AD user sourcing a keystone rc file and run the token-get or user-list command I get this error. I am not sure why it is looking at the Active Directory for authorization? In keystone.conf I am only using ldap for the Identity section. The credential and Assignment points to sql. On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com wrote: Thanks for your help. So in this case the uid parameter to user-role-add will be any of the AD attribute that I specify in the keystone.conf file , i.e sAMAccountname? Also I assume that in this case there will be no entries of the user in the local sql users table , nor would any id assigned to individual users by keystone? Also in this case will user-list show all the users in the Active Directory under the user tree? BTW is there a rpm available for havana keystone release for centOS/RHEL? Yes, the distro you are looking for is called RDO, and it is available from: http://repos.fedorapeople.org/repos/openstack/openstack-havana/ and trunk http://repos.fedorapeople.org/repos/openstack/openstack-trunk/ On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews dolph.math...@gmail.comwrote: You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3 On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote: Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.com wrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3 On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote: Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.comwrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I added a active directory user test123 with role admin and tenant admin successfully. However when I run keystone user-list if gives me the following error: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500) I am not sure why it is looking at the Active Directory for authorization? In keystone.conf I am only using ldap for the Identity section. The credential and Assignment points to sql. On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com wrote: Thanks for your help. So in this case the uid parameter to user-role-add will be any of the AD attribute that I specify in the keystone.conf file , i.e sAMAccountname? Also I assume that in this case there will be no entries of the user in the local sql users table , nor would any id assigned to individual users by keystone? Also in this case will user-list show all the users in the Active Directory under the user tree? BTW is there a rpm available for havana keystone release for centOS/RHEL? On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews dolph.math...@gmail.comwrote: You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3 On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote: Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.com wrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Just to clarify I am running keystone user-list with keystonerc file sourced and containing the correct credentials for test123, On Thu, Nov 14, 2013 at 4:37 PM, Avi L aviost...@gmail.com wrote: I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I added a active directory user test123 with role admin and tenant admin successfully. However when I run keystone user-list if gives me the following error: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'info': '20D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500) I am not sure why it is looking at the Active Directory for authorization? In keystone.conf I am only using ldap for the Identity section. The credential and Assignment points to sql. On Thu, Nov 14, 2013 at 10:17 AM, Avi L aviost...@gmail.com wrote: Thanks for your help. So in this case the uid parameter to user-role-add will be any of the AD attribute that I specify in the keystone.conf file , i.e sAMAccountname? Also I assume that in this case there will be no entries of the user in the local sql users table , nor would any id assigned to individual users by keystone? Also in this case will user-list show all the users in the Active Directory under the user tree? BTW is there a rpm available for havana keystone release for centOS/RHEL? On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews dolph.math...@gmail.comwrote: You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3 On Wed, Nov 13, 2013 at 3:08 PM, Avi L aviost...@gmail.com wrote: Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.com wrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Using AD for keystone authentication only
Oh ok so in this case how does the Active Directory user gets a id , and how do you map the user to a role? Is there any example you can point me to? On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews dolph.math...@gmail.comwrote: Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL. On Wednesday, November 13, 2013, Avi L wrote: Hi, I understand that the LDAP provider in keystone can be used for authenticating a user (i.e validate username and password) , and it also authorize it against roles and tenant. However this requires AD schema modification. Is it possible to use AD only for authentication and then use keystone's native database for roles and tenant lookup? The advantage is that then we don't need to touch the enterprise AD installation. Thanks Al -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev