<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/14/2013 07:37 PM, Avi L wrote:<br>
</div>
<blockquote
cite="mid:CAMBOUKxtqmi7rrkR=nsajmRTGoa7hWe5r-f-U1ApZ_bZh1hZrg@mail.gmail.com"
type="cite">
<div dir="ltr">I have
installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
added a active directory user "test123" with role admin and
tenant admin successfully.
<div><br>
</div>
<div style="">However when I run keystone user-list if gives me
the following error:</div>
<div style="">Authorization Failed: An unexpected error
prevented the server from fulfilling your request. {'info':
'000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR),
data 0\n', 'desc': 'Operations error'} (HTTP 500)<br>
</div>
</div>
</blockquote>
<br>
This error looks AD specific. I have not seen it from other LDAP
providers.<br>
<br>
When you do a user list, you have to authenticate to AD, which is
done via A Simple Bind. This is probably not what you want long
term (External Auth will let you use Kerberos, for example) but to
start troubleshooting, make sure you can do an ldap query against
the LDAP as the Admin user. If that works, you should be able to
do a keystone token-get with that same information.<br>
<br>
<blockquote
cite="mid:CAMBOUKxtqmi7rrkR=nsajmRTGoa7hWe5r-f-U1ApZ_bZh1hZrg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">
</div>
<div style=""><br>
</div>
<div style="">I am not sure why it is looking at the Active
Directory for authorization? In keystone.conf I am only using
ldap for the Identity section. The credential and Assignment
points to sql. </div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Nov 14, 2013 at 10:17 AM, Avi L
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aviostack@gmail.com" target="_blank">aviostack@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks for your help. So in this case the uid
parameter to user-role-add will be any of the AD attribute
that I specify in the keystone.conf file , i.e
sAMAccountname? Also I assume that in this case there will
be no entries of the user in the local sql users table ,
nor would any id assigned to individual users by keystone?
Also in this case will user-list show all the users in
the Active Directory under the user tree?
<div>
<br>
</div>
<div>BTW is there a rpm available for havana keystone
release for centOS/RHEL?</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
Yes, the distro you are looking for is called RDO, and it is
available from: <br>
<br>
<pre><a class="moz-txt-link-freetext" href="http://repos.fedorapeople.org/repos/openstack/openstack-havana/">http://repos.fedorapeople.org/repos/openstack/openstack-havana/</a>
and trunk
<a class="moz-txt-link-freetext" href="http://repos.fedorapeople.org/repos/openstack/openstack-trunk/">http://repos.fedorapeople.org/repos/openstack/openstack-trunk/</a></pre>
<br>
<br>
<blockquote
cite="mid:CAMBOUKxtqmi7rrkR=nsajmRTGoa7hWe5r-f-U1ApZ_bZh1hZrg@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Nov 14, 2013 at 7:07
AM, Dolph Mathews <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com"
target="_blank">dolph.mathews@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>You can assign roles to users in
keystoneclient ($ keystone help user-role-add)
-- the assignment would be persisted in SQL.
openstackclient supports assignments to groups
as well if you switch to
--identity-api-version=3</div>
<br>
<div class="gmail_extra">
<div>
<div>
<div class="gmail_quote">On Wed, Nov 13,
2013 at 3:08 PM, Avi L <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:aviostack@gmail.com"
target="_blank">aviostack@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Oh ok so in this case
how does the Active Directory user
gets a id , and how do you map the
user to a role? Is there any example
you can point me to? </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div>
<div>
On Wed, Nov 13, 2013 at 11:24
AM, Dolph Mathews <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com"
target="_blank">dolph.mathews@gmail.com</a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div>
Yes, that's the preferred
approach in Havana: Users
and G<span></span>roups via
LDAP, and everything else
via SQL.
<div>
<div><br>
<br>
On Wednesday, November
13, 2013, Avi L wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I understand
that the LDAP
provider in
keystone can be
used for
authenticating a
user (i.e validate
username and
password) , and it
also authorize it
against roles and
tenant. However
this requires AD
schema
modification. Is
it possible to use
AD only for
authentication and
then use
keystone's native
database for roles
and tenant lookup?
The advantage is
that then we don't
need to touch the
enterprise AD
installation.</div>
<div><br>
</div>
<div>Thanks</div>
<div>Al</div>
</div>
</blockquote>
<br>
<br>
</div>
</div>
<span><font color="#888888">--
<br>
<div><br>
</div>
-Dolph<br>
</font></span><br>
</div>
</div>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
</div>
</div>
<span><font color="#888888">-- <br>
<div><br>
</div>
-Dolph
</font></span></div>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>