[openstack-dev] Is Havana keystone rpm actually splitting identity and assignment?

Avi L aviostack at gmail.com
Sat Nov 16 00:46:25 UTC 2013 

On Fri, Nov 15, 2013 at 3:01 PM, Adam Young <ayoung at redhat.com> wrote:

>  On 11/15/2013 11:15 AM, Ben Nemec wrote:
>
> This list is for development discussion only.  Since this sounds like a
> question specific to RHEL, might I suggest you ask it on
> http://openstack.redhat.com/forum/ ?
>
>
> Nah, this is legit.
>



Thanks  Adam, I did post a question in redhat forum but so far I have not
got a reply.

>  Thanks.
>
> -Ben
>
> On 2013-11-15 10:13, Abhishek Lahiri wrote:
>
>
>
>   I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
>> added a active directory user "test123" with role admin and tenant admin
>> successfully. In Keystone.conf identity is pointed to ldap and assignment
>>  is pointed to SQL. I sourced keystonerc file with the correct credentials
>> for user test123 and then trying to run a keystone commands.
>>
>> However when I run keystone get-token if gives me the following error:
>> Authorization Failed: An unexpected error prevented the server from
>> fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem
>> 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)
>>
>   So, yes, if you do not explicitly supply the assignements backend, and
> the frontend is specified to be LDAP, we assume the assignments backend is
> LDAP as well.   The reason is to avoid breaking backwards compat for people
> that already have LDAP working under Grizzly and are upgrading.
>


I do point Assignment explicitly to the sql backend and Identity to ldap
backend. Using the admin token I can also do a user list against AD
successfully. But as I said when I unset the ADMIN token and source the
keystonerc file with the username/password of the AD user I get this error.
This is the same AD user that I am using for keystone to bind to AD (and
therefore is used when I use the ADMIN token - this proves that credentials
in keystonrc file is valid).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131115/a8503684/attachment.html>

More information about the OpenStack-dev mailing list