On Mon, Nov 18, 2013 at 6:51 AM, Adam Young <ayoung at redhat.com> wrote: > > > ADMIN Token does no authentication against the back end. It is a > bootstrap method for setting up Keystone, nothing else. It should be > disabled as soon as you can authenticate via AD. > > I don't think you have successfully authenticated against AD. > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev Our AD server does not allow anonymous browse so I am sure that when ADMIN token is used it is binding (authenticating) as the bind user mentioned in keystone configuration file and is able to show the user list. What I don't understand is that when I am using the same user in keystonerc file it is not working , and I beleive it is somehow looking for projects and tenant information in AD , even though the assignment driver is pointing to sql as the backend. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131118/40d0caa9/attachment.html>