[openstack-dev] Using AD for keystone authentication only

Adam Young ayoung at redhat.com
Mon Nov 18 14:51:45 UTC 2013

On 11/15/2013 07:39 PM, Avi L wrote:
>>     However when I run keystone user-list if gives me the following
>>     error:
>>     Authorization Failed: An unexpected error prevented the server
>>     from fulfilling your request. {'info': '000020D6: SvcErr:
>>     DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc':
>>     'Operations error'} (HTTP 500)
>     This error looks AD specific. I have not seen it from other LDAP
>     providers.
>     When you do a user list, you have to authenticate to AD, which is
>     done via A Simple Bind.  This is probably not what you want long
>     term (External Auth will let you use Kerberos, for example) but to
>     start troubleshooting, make sure you can do an ldap query against
>     the LDAP as the Admin user.   If that works, you should be able to
>     do a keystone token-get with that same information
> I can do a user list against AD using the ADMIN token , which is 
> binding as the AD user specified in the keystone.conf file. Using the 
> ADMIN token I am also giving that user a role of admin and a tenant of 
> admin . These are supposedly being stored in the SQL database. Now if 
> I change my credentials to the AD user sourcing a keystone rc file and 
> run the token-get or user-list command I get this error.
ADMIN Token does no authentication against the back end.  It is a 
bootstrap method for setting up Keystone, nothing else.  It should be 
disabled as soon as you can authenticate via AD.

I don't think you have successfully authenticated against AD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131118/a238cec2/attachment.html>

More information about the OpenStack-dev mailing list