<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/07/2013 05:26 PM, Miller, Mark M
(EB SW Cloud - R&D - Corvallis) wrote:<br>
</div>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B360E22@G9W0343.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Verdana","sans-serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle32
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle33
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle34
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Guang,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank
you for the reply. Would you be a little more specific or
give me an example of a configurable LDAP query filter?
Right now the keystone SQL database does not keep much
information on users that come from the LDAP server. The
only entry I could find was one in the user_project_metadata
table</span></p>
</div>
</blockquote>
<br>
LDAP users are not stored in SQL. THat table is a relationship
between users and projects, by way of role assignements. <br>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B360E22@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
</span><span style="color:windowtext"><a class="moz-txt-link-abbreviated" href="mailto:mark.m.miller@hp.com">mark.m.miller@hp.com</a><o:p></o:p></span></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span style="color:windowtext">|
9798b027472d4f459d231c005977b3ac<o:p></o:p></span></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><span style="color:windowtext">|
{"roles": [{"id":
"7fb862d10b5c46679b4334eae9c73a46"}]}<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It
used my LDAP uid for the keystone uid. </span></p>
</div>
</blockquote>
<br>
Yep, because that was the value specified as the User Id from a
keystone perspective.<br>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B360E22@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So
the issue is how to start the user lookup. Do you locate all
of the users in the keystone SQL database by collating
various tables and then perform a lookup in the LDAP server
with this set of data, or do you start with all of the users
from the LDAP database and then see if they exist in the
keystone SQL database tables? I am still checking, but I
assume the latter is true.</span></p>
</div>
</blockquote>
LDAP query, not SQL.<br>
<br>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B360E22@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Concerning
user status, I would think that only “Active” users should
be enabled in keystone. I was hoping to find an attribute
that I could set such as:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">user_enabled_attribute
= hpStatus<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">user_enabled_value
= "Active"</span></p>
</div>
</blockquote>
<br>
Assuming a REad only LDAP, you are not going to disable users. So,
modify the query for user lists to include the filter you want,
something like hpStatus="Active"<br>
<br>
<br>
keystone/common/ldap/core.py, look at the ldap get functions.
Instead of getting all objects of a specific object class, you want
to specify a query that will be used. Specify that in the filter
value.<br>
<br>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B360E22@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And
then any other value would equal disabled. I suppose you
could say that if the LDAP backend system will let a user
log in, then that is good enough and keystone should
consider them enabled. Is that what you meant?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Yee, Guang
<br>
<b>Sent:</b> Wednesday, August 07, 2013 2:03 PM<br>
<b>To:</b> Miller, Mark M (EB SW Cloud - R&D -
Corvallis); Taylor, Monty<br>
<b>Subject:</b> RE: [openstack-dev] Keystone Split
Backend LDAP Configuration Question<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">User
lookup should be controlled by a configurable LDAP query
filter, not individual attributes. Please make that change
if you can, you’ll get lots of karma points for this. </span><span
style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
There’s no point of returning *<b>disabled</b>* users as
users are managed by AD, not Keystone. For read-only LDAPs,
user is either there, or not there. Nothing in between.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Guang<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
<br>
<b>Sent:</b> Wednesday, August 07, 2013 1:57 PM<br>
<b>To:</b> Taylor, Monty; Yee, Guang<br>
<b>Subject:</b> FW: [openstack-dev] Keystone Split
Backend LDAP Configuration Question<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">FYI<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
<br>
<b>Sent:</b> Wednesday, August 07, 2013 1:39 PM<br>
<b>To:</b> Adam Young<br>
<b>Cc:</b> OpenStack Development Mailing List<br>
<b>Subject:</b> Re: [openstack-dev] Keystone Split
Backend LDAP Configuration Question<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
am trying to figure out what to use for the
“user_enabled_*” attributes for the HP Enterprise
Directory servers. It looks like the enabled attribute
values in the keystone.conf file are expected to have
numerical values.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">From(URL
<a moz-do-not-send="true"
href="http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html">http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html</a>
:<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">In
case that the directory server does not have an attribute
enabled of type boolean for the user, there are several
configuration parameters that can be used to extract the
value from an integer attribute like in Active Directory:
<o:p></o:p></span></p>
<div style="border-top:solid #DEDEDE
1.0pt;border-left:none;border-bottom:solid #DEDEDE
1.0pt;border-right:none;padding:6.0pt 0in 6.0pt 0in">
<p class="MsoNormal"
style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;background:silver"><span
style="font-size:9.0pt;font-family:"Courier
New";color:#23302D">[ldap]<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;background:silver"><span
style="font-size:9.0pt;font-family:"Courier
New";color:#23302D">user_enabled_attribute =
userAccountControl<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;background:silver"><span
style="font-size:9.0pt;font-family:"Courier
New";color:#23302D">user_enabled_mask = 2<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;background:silver"><span
style="font-size:9.0pt;font-family:"Courier
New";color:#23302D">user_enabled_default = 512<o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">In
this case the attribute is an integer and the enabled
attribute is listed in bit 1, so the if the mask
configured
<i>user_enabled_mask</i> is different from 0, it gets the
value from the field <i>
user_enabled_attribute</i> and it makes an ADD operation
with the value indicated on
<i>user_enabled_mask</i> and if the value matches the mask
then the account is disabled.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">It
also saves the value without mask to the user identity in
the attribute
<i>enabled_nomask</i>. This is needed in order to set it
back in case that we need to change it to enable/disable a
user because it contains more information than the status
like password expiration. Last setting
<i>user_enabled_mask</i> is needed in order to create a
default value on the integer attribute (512 = NORMAL
ACCOUNT on AD)
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">What
if the enabled attributes from the LDAP server are not
numerical values but rather character strings?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif"">hpStatus:
<span style="background:yellow;mso-highlight:yellow">Active</span>,
Deceased, Leave of Absence, Leave with Pay, Terminated,
Retired, Pending, Limited<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">How
would you set the attribute enabled = ‘Active’? Mind you
that this is a read only ldap connection.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">user_enabled_attribute
= hpStatus<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">user_enabled_mask
= 0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">user_enabled_default
= "Active"<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark<o:p></o:p></span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>