[openstack-dev] Using AD for keystone authentication only

Avi L aviostack at gmail.com
Mon Nov 18 19:41:41 UTC 2013

On Mon, Nov 18, 2013 at 6:51 AM, Adam Young <ayoung at redhat.com> wrote:

> ADMIN Token does no authentication against the back end.  It is a
> bootstrap method for setting up Keystone, nothing else.  It should be
> disabled as soon as you can authenticate via AD.
> I don't think you have successfully authenticated against AD.
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Our AD server does not allow anonymous browse so I am sure that when ADMIN
token is used it is  binding (authenticating) as the bind user mentioned in
keystone configuration file and is able to show the user list. What I don't
understand is that when I am using the same user in keystonerc file it is
not working , and I beleive it is somehow looking for projects and tenant
information in AD , even though the assignment driver is pointing to sql as
the backend.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131118/40d0caa9/attachment.html>

More information about the OpenStack-dev mailing list