<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 11/14/2013 07:37 PM, Avi L wrote:<br>
    </div>
    <blockquote
cite="mid:CAMBOUKxtqmi7rrkR=nsajmRTGoa7hWe5r-f-U1ApZ_bZh1hZrg@mail.gmail.com"
      type="cite">
      <div dir="ltr">I have
        installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
        added a active directory user "test123" with role admin and
        tenant admin successfully. 
        <div><br>
        </div>
        <div style="">However when I run keystone user-list if gives me
          the following error:</div>
        <div style="">Authorization Failed: An unexpected error
          prevented the server from fulfilling your request. {'info':
          '000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR),
          data 0\n', 'desc': 'Operations error'} (HTTP 500)<br>
        </div>
      </div>
    </blockquote>
    <br>
    This error looks AD specific. I have not seen it from other LDAP
    providers.<br>
    <br>
    When you do a user list, you have to authenticate to AD, which is
    done via A Simple Bind.  This is probably not what you want long
    term (External Auth will let you use Kerberos, for example) but to
    start troubleshooting, make sure you can do an ldap query against
    the LDAP as the Admin user.   If that works, you should be able to
    do a keystone token-get with that same information.<br>
    <br>
    <blockquote
cite="mid:CAMBOUKxtqmi7rrkR=nsajmRTGoa7hWe5r-f-U1ApZ_bZh1hZrg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div style="">
        </div>
        <div style=""><br>
        </div>
        <div style="">I am not sure why it is looking at the Active
          Directory for authorization? In keystone.conf I am only using
          ldap for the Identity section. The credential and Assignment
          points to sql. </div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Thu, Nov 14, 2013 at 10:17 AM, Avi L
          <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:aviostack@gmail.com" target="_blank">aviostack@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Thanks for your help. So in this case the uid
              parameter to user-role-add will be any of the AD attribute
              that I specify in the keystone.conf file , i.e
              sAMAccountname? Also I assume that in this case there will
              be no entries of the user in the local sql users table ,
              nor would any id assigned to individual users by keystone?
               Also in this case will user-list show all the users in
              the Active Directory under the user tree?
              <div>
                <br>
              </div>
              <div>BTW is there a rpm available for havana keystone
                release for centOS/RHEL?</div>
            </div>
          </blockquote>
        </div>
      </div>
    </blockquote>
    <br>
    Yes, the distro you are looking for is called RDO, and it is
    available from: <br>
    <br>
    <pre><a class="moz-txt-link-freetext" href="http://repos.fedorapeople.org/repos/openstack/openstack-havana/">http://repos.fedorapeople.org/repos/openstack/openstack-havana/</a>

and trunk

<a class="moz-txt-link-freetext" href="http://repos.fedorapeople.org/repos/openstack/openstack-trunk/">http://repos.fedorapeople.org/repos/openstack/openstack-trunk/</a></pre>
    <br>
    <br>
    <blockquote
cite="mid:CAMBOUKxtqmi7rrkR=nsajmRTGoa7hWe5r-f-U1ApZ_bZh1hZrg@mail.gmail.com"
      type="cite">
      <div class="gmail_extra">
        <div class="gmail_quote">
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <br>
                  <div class="gmail_quote">On Thu, Nov 14, 2013 at 7:07
                    AM, Dolph Mathews <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:dolph.mathews@gmail.com"
                        target="_blank">dolph.mathews@gmail.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div>You can assign roles to users in
                          keystoneclient ($ keystone help user-role-add)
                          -- the assignment would be persisted in SQL.
                          openstackclient supports assignments to groups
                          as well if you switch to
                          --identity-api-version=3</div>
                        <br>
                        <div class="gmail_extra">
                          <div>
                            <div>
                              <div class="gmail_quote">On Wed, Nov 13,
                                2013 at 3:08 PM, Avi L <span dir="ltr"><<a
                                    moz-do-not-send="true"
                                    href="mailto:aviostack@gmail.com"
                                    target="_blank">aviostack@gmail.com</a>></span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin:0 0 0
                                  .8ex;border-left:1px #ccc
                                  solid;padding-left:1ex">
                                  <div dir="ltr">Oh ok so in this case
                                    how does the Active Directory user
                                    gets a id , and how do you map the
                                    user to a role? Is there any example
                                    you can point me to? </div>
                                  <div class="gmail_extra"><br>
                                    <br>
                                    <div class="gmail_quote">
                                      <div>
                                        <div>
                                          On Wed, Nov 13, 2013 at 11:24
                                          AM, Dolph Mathews <span
                                            dir="ltr"><<a
                                              moz-do-not-send="true"
                                              href="mailto:dolph.mathews@gmail.com"
                                              target="_blank">dolph.mathews@gmail.com</a>></span>
                                          wrote:<br>
                                        </div>
                                      </div>
                                      <blockquote class="gmail_quote"
                                        style="margin:0 0 0
                                        .8ex;border-left:1px #ccc
                                        solid;padding-left:1ex">
                                        <div>
                                          <div>
                                            Yes, that's the preferred
                                            approach in Havana: Users
                                            and G<span></span>roups via
                                            LDAP, and everything else
                                            via SQL.
                                            <div>
                                              <div><br>
                                                <br>
                                                On Wednesday, November
                                                13, 2013, Avi L wrote:<br>
                                                <blockquote
                                                  class="gmail_quote"
                                                  style="margin:0 0 0
                                                  .8ex;border-left:1px
                                                  #ccc
                                                  solid;padding-left:1ex">
                                                  <div dir="ltr">Hi,
                                                    <div><br>
                                                    </div>
                                                    <div>I understand
                                                      that the LDAP
                                                      provider in
                                                      keystone can be
                                                      used for
                                                      authenticating a
                                                      user (i.e validate
                                                      username and
                                                      password) , and it
                                                      also authorize it
                                                      against roles and
                                                      tenant. However
                                                      this requires AD
                                                      schema
                                                      modification. Is
                                                      it possible to use
                                                      AD only for
                                                      authentication and
                                                      then use
                                                      keystone's native
                                                      database for roles
                                                      and tenant lookup?
                                                      The advantage is
                                                      that then we don't
                                                      need to touch the
                                                      enterprise AD
                                                      installation.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Thanks</div>
                                                    <div>Al</div>
                                                  </div>
                                                </blockquote>
                                                <br>
                                                <br>
                                              </div>
                                            </div>
                                            <span><font color="#888888">--
                                                <br>
                                                <div><br>
                                                </div>
                                                -Dolph<br>
                                              </font></span><br>
                                          </div>
                                        </div>
_______________________________________________<br>
                                        OpenStack-dev mailing list<br>
                                        <a moz-do-not-send="true"
                                          href="mailto:OpenStack-dev@lists.openstack.org"
                                          target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                                          target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                                        <br>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                  <br>
_______________________________________________<br>
                                  OpenStack-dev mailing list<br>
                                  <a moz-do-not-send="true"
                                    href="mailto:OpenStack-dev@lists.openstack.org"
                                    target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                                  <a moz-do-not-send="true"
                                    href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                                    target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                                  <br>
                                </blockquote>
                              </div>
                              <br>
                              <br clear="all">
                              <div><br>
                              </div>
                            </div>
                          </div>
                          <span><font color="#888888">-- <br>
                              <div><br>
                              </div>
                              -Dolph
                            </font></span></div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      OpenStack-dev mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OpenStack-dev@lists.openstack.org"
                        target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                        target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>