[openstack-dev] Keystone Split Backend LDAP Question

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Mon Aug 5 23:37:15 UTC 2013

I have been inserting debug logging and stack traces into the code base to help find out what is and is not happening.

·         I am able to connect  the LDAP backend to our Enterprise Directory and perform a REST “get an unscoped token” from keystone. Following is the result:
·         Connection →keep-alive
·         Content-Length →259
·         Content-Type →application/json
·         Date →Fri, 26 Jul 2013 21:49:16 GMT
·         Vary →X-Auth-Token
·         X-Subject-Token →cae95a17517245798acb17c47b8eb74b

    "token": {
        "issued_at": "2013-07-26T21:49:16.951821Z",
        "extras": {},
        "methods": [
        "expires_at": "2045-04-03T19:49:16.951738Z",
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            "id": "mark.m.miller at hp.com",
            "name": "mark.m.miller at hp.com"

·         When I attempt to assign a role to the user:

Ø  keystone user-role-add --user "mark.m.miller at hp.com" --role-id 7fb862d10b5c46679b4334eae9c73a46 --tenant-id 9798b027472d4f459d231c005977b3ac

The “identity/controllers/get_users()” method is called instead of the “get_user_by_name()” method.

Does anyone know why or how to fix this or if what I am trying to do even works?


Mark Miller

From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Friday, August 02, 2013 4:00 PM
To: OpenStack Development Mailing List; Adam Young (ayoung at redhat.com); Dolph Mathews (dolph.mathews at gmail.com); Yee, Guang
Subject: Re: [openstack-dev] Keystone Split Backend LDAP Question


With some minor tweaking of the keystone common/ldap/core.py file, I have been able to authenticate and get an unscoped token for a user from an LDAP Enterprise Directory. I want to continue testing but I have some questions that need to be answered before I can continue.

1.       Do I need to add the user from the LDAP server to the Keystone SQL database or will the H-2 code search the LDAP server?

2.       When I performed a “keystone user-list” the following log file entries were written indicating that keystone was attempting to get all the users on the massive Enterprise Directory. How do we limit this query to just the one user or group of users we are interested in?

2013-07-23 14:04:31    DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] In get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] MY query in _ldap_get_all: (&)
  2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory', 'userPassword', 'hpStatus', 'mail', 'uid']

3.       Next I want to acquire a scoped token. How do I assign the LDAP user to a local project?


Mark Miller
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130805/4fdfd5e8/attachment-0001.html>

More information about the OpenStack-dev mailing list