[openstack-dev] Using AD for keystone authentication only
Avi L
aviostack at gmail.com
Sat Nov 16 00:39:25 UTC 2013
Hi,
On Fri, Nov 15, 2013 at 2:58 PM, Adam Young <ayoung at redhat.com> wrote:
> On 11/14/2013 07:37 PM, Avi L wrote:
>
> I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
> added a active directory user "test123" with role admin and tenant admin
> successfully.
>
> However when I run keystone user-list if gives me the following error:
> Authorization Failed: An unexpected error prevented the server from
> fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem
> 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
>
>
> This error looks AD specific. I have not seen it from other LDAP providers.
>
> When you do a user list, you have to authenticate to AD, which is done via
> A Simple Bind. This is probably not what you want long term (External Auth
> will let you use Kerberos, for example) but to start troubleshooting, make
> sure you can do an ldap query against the LDAP as the Admin user. If that
> works, you should be able to do a keystone token-get with that same
> information
>
I can do a user list against AD using the ADMIN token , which is binding as
the AD user specified in the keystone.conf file. Using the ADMIN token I am
also giving that user a role of admin and a tenant of admin . These are
supposedly being stored in the SQL database. Now if I change my credentials
to the AD user sourcing a keystone rc file and run the token-get or
user-list command I get this error.
>
>
> I am not sure why it is looking at the Active Directory for
> authorization? In keystone.conf I am only using ldap for the Identity
> section. The credential and Assignment points to sql.
>
>
> On Thu, Nov 14, 2013 at 10:17 AM, Avi L <aviostack at gmail.com> wrote:
>
>> Thanks for your help. So in this case the uid parameter to user-role-add
>> will be any of the AD attribute that I specify in the keystone.conf file ,
>> i.e sAMAccountname? Also I assume that in this case there will be no
>> entries of the user in the local sql users table , nor would any id
>> assigned to individual users by keystone? Also in this case will user-list
>> show all the users in the Active Directory under the user tree?
>>
>> BTW is there a rpm available for havana keystone release for
>> centOS/RHEL?
>>
>
> Yes, the distro you are looking for is called RDO, and it is available
> from:
>
> http://repos.fedorapeople.org/repos/openstack/openstack-havana/
>
> and trunk
> http://repos.fedorapeople.org/repos/openstack/openstack-trunk/
>
>
>
>
>>
>> On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>>
>>> You can assign roles to users in keystoneclient ($ keystone help
>>> user-role-add) -- the assignment would be persisted in SQL. openstackclient
>>> supports assignments to groups as well if you switch to
>>> --identity-api-version=3
>>>
>>> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviostack at gmail.com> wrote:
>>>
>>>> Oh ok so in this case how does the Active Directory user gets a id ,
>>>> and how do you map the user to a role? Is there any example you can point
>>>> me to?
>>>>
>>>>
>>>> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <
>>>> dolph.mathews at gmail.com> wrote:
>>>>
>>>>> Yes, that's the preferred approach in Havana: Users and Groups via
>>>>> LDAP, and everything else via SQL.
>>>>>
>>>>>
>>>>> On Wednesday, November 13, 2013, Avi L wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I understand that the LDAP provider in keystone can be used for
>>>>>> authenticating a user (i.e validate username and password) , and it also
>>>>>> authorize it against roles and tenant. However this requires AD schema
>>>>>> modification. Is it possible to use AD only for authentication and then use
>>>>>> keystone's native database for roles and tenant lookup? The advantage is
>>>>>> that then we don't need to touch the enterprise AD installation.
>>>>>>
>>>>>> Thanks
>>>>>> Al
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> -Dolph
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> -Dolph
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>
>
> _______________________________________________
> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131115/56354320/attachment.html>
More information about the OpenStack-dev
mailing list