[openstack-dev] Using AD for keystone authentication only
Avi L
aviostack at gmail.com
Fri Nov 15 00:38:49 UTC 2013
Just to clarify I am running keystone user-list with keystonerc file
sourced and containing the correct credentials for test123,
On Thu, Nov 14, 2013 at 4:37 PM, Avi L <aviostack at gmail.com> wrote:
> I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
> added a active directory user "test123" with role admin and tenant admin
> successfully.
>
> However when I run keystone user-list if gives me the following error:
> Authorization Failed: An unexpected error prevented the server from
> fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem
> 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
>
> I am not sure why it is looking at the Active Directory for authorization?
> In keystone.conf I am only using ldap for the Identity section. The
> credential and Assignment points to sql.
>
>
> On Thu, Nov 14, 2013 at 10:17 AM, Avi L <aviostack at gmail.com> wrote:
>
>> Thanks for your help. So in this case the uid parameter to user-role-add
>> will be any of the AD attribute that I specify in the keystone.conf file ,
>> i.e sAMAccountname? Also I assume that in this case there will be no
>> entries of the user in the local sql users table , nor would any id
>> assigned to individual users by keystone? Also in this case will user-list
>> show all the users in the Active Directory under the user tree?
>>
>> BTW is there a rpm available for havana keystone release for centOS/RHEL?
>>
>>
>> On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>>
>>> You can assign roles to users in keystoneclient ($ keystone help
>>> user-role-add) -- the assignment would be persisted in SQL. openstackclient
>>> supports assignments to groups as well if you switch to
>>> --identity-api-version=3
>>>
>>> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviostack at gmail.com> wrote:
>>>
>>>> Oh ok so in this case how does the Active Directory user gets a id ,
>>>> and how do you map the user to a role? Is there any example you can point
>>>> me to?
>>>>
>>>>
>>>> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <
>>>> dolph.mathews at gmail.com> wrote:
>>>>
>>>>> Yes, that's the preferred approach in Havana: Users and Groups via
>>>>> LDAP, and everything else via SQL.
>>>>>
>>>>>
>>>>> On Wednesday, November 13, 2013, Avi L wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I understand that the LDAP provider in keystone can be used for
>>>>>> authenticating a user (i.e validate username and password) , and it also
>>>>>> authorize it against roles and tenant. However this requires AD schema
>>>>>> modification. Is it possible to use AD only for authentication and then use
>>>>>> keystone's native database for roles and tenant lookup? The advantage is
>>>>>> that then we don't need to touch the enterprise AD installation.
>>>>>>
>>>>>> Thanks
>>>>>> Al
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> -Dolph
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> -Dolph
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131114/dfd59295/attachment.html>
More information about the OpenStack-dev
mailing list