[openstack-dev] Using AD for keystone authentication only

Adam Young ayoung at redhat.com
Fri Nov 15 22:58:42 UTC 2013


On 11/14/2013 07:37 PM, Avi L wrote:
> I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and 
> I added a active directory user "test123" with role admin and tenant 
> admin successfully.
>
> However when I run keystone user-list if gives me the following error:
> Authorization Failed: An unexpected error prevented the server from 
> fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, 
> problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 
> 500)

This error looks AD specific. I have not seen it from other LDAP providers.

When you do a user list, you have to authenticate to AD, which is done 
via A Simple Bind.  This is probably not what you want long term 
(External Auth will let you use Kerberos, for example) but to start 
troubleshooting, make sure you can do an ldap query against the LDAP as 
the Admin user.   If that works, you should be able to do a keystone 
token-get with that same information.

>
> I am not sure why it is looking at the Active Directory for 
> authorization? In keystone.conf I am only using ldap for the Identity 
> section. The credential and Assignment points to sql.
>
>
> On Thu, Nov 14, 2013 at 10:17 AM, Avi L <aviostack at gmail.com 
> <mailto:aviostack at gmail.com>> wrote:
>
>     Thanks for your help. So in this case the uid parameter to
>     user-role-add will be any of the AD attribute that I specify in
>     the keystone.conf file , i.e sAMAccountname? Also I assume that in
>     this case there will be no entries of the user in the local sql
>     users table , nor would any id assigned to individual users by
>     keystone?  Also in this case will user-list show all the users in
>     the Active Directory under the user tree?
>
>     BTW is there a rpm available for havana keystone release for
>     centOS/RHEL?
>

Yes, the distro you are looking for is called RDO, and it is available 
from:

http://repos.fedorapeople.org/repos/openstack/openstack-havana/

and trunk

http://repos.fedorapeople.org/repos/openstack/openstack-trunk/



>
>
>     On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews
>     <dolph.mathews at gmail.com <mailto:dolph.mathews at gmail.com>> wrote:
>
>         You can assign roles to users in keystoneclient ($ keystone
>         help user-role-add) -- the assignment would be persisted in
>         SQL. openstackclient supports assignments to groups as well if
>         you switch to --identity-api-version=3
>
>         On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviostack at gmail.com
>         <mailto:aviostack at gmail.com>> wrote:
>
>             Oh ok so in this case how does the Active Directory user
>             gets a id , and how do you map the user to a role? Is
>             there any example you can point me to?
>
>
>             On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews
>             <dolph.mathews at gmail.com <mailto:dolph.mathews at gmail.com>>
>             wrote:
>
>                 Yes, that's the preferred approach in Havana: Users
>                 and Groups via LDAP, and everything else via SQL.
>
>
>                 On Wednesday, November 13, 2013, Avi L wrote:
>
>                     Hi,
>
>                     I understand that the LDAP provider in keystone
>                     can be used for authenticating a user (i.e
>                     validate username and password) , and it also
>                     authorize it against roles and tenant. However
>                     this requires AD schema modification. Is it
>                     possible to use AD only for authentication and
>                     then use keystone's native database for roles and
>                     tenant lookup? The advantage is that then we don't
>                     need to touch the enterprise AD installation.
>
>                     Thanks
>                     Al
>
>
>
>                 -- 
>
>                 -Dolph
>
>                 _______________________________________________
>                 OpenStack-dev mailing list
>                 OpenStack-dev at lists.openstack.org
>                 <mailto:OpenStack-dev at lists.openstack.org>
>                 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>             _______________________________________________
>             OpenStack-dev mailing list
>             OpenStack-dev at lists.openstack.org
>             <mailto:OpenStack-dev at lists.openstack.org>
>             http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>         -- 
>
>         -Dolph
>
>         _______________________________________________
>         OpenStack-dev mailing list
>         OpenStack-dev at lists.openstack.org
>         <mailto:OpenStack-dev at lists.openstack.org>
>         http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131115/860ba5b9/attachment.html>


More information about the OpenStack-dev mailing list