<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 15, 2013 at 3:01 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 11/15/2013 11:15 AM, Ben Nemec
wrote:<br>
</div>
<blockquote type="cite">
<p>This list is for development discussion only. Since this
sounds like a question specific to RHEL, might I suggest you ask
it on <a href="http://openstack.redhat.com/forum/" target="_blank">http://openstack.redhat.com/forum/</a> ?</p>
</blockquote>
<br></div>
Nah, this is legit.<br></div></blockquote><div class="im"><br><br><br>Thanks Adam, I did post a question in redhat forum but so far I have not got a reply.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<blockquote type="cite">
<p>Thanks.</p>
<p>-Ben</p>
<p>On 2013-11-15 10:13, Abhishek Lahiri wrote:</p>
<blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px">
<div dir="ltr"> </div>
<div class="gmail_extra"><span style="background-color:rgba"><br>
</span>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:#cccccc;border-left-style:solid;padding-left:1ex">
<div dir="ltr"><span style="background-color:rgba">I have
installed openstack-keystone-2013.2-0.11.b3.el6.noarch
rpm and I added a active directory user "test123" with
role admin and tenant admin successfully. In
Keystone.conf identity is pointed to ldap and
assignment is pointed to SQL. I sourced keystonerc
file with the correct credentials for user test123 and
then trying to run a keystone commands.</span>
<div><span style="background-color:rgba"> </span></div>
<div><span style="background-color:rgba">However when I run keystone
get-token if gives me the following error:</span></div>
<div><span style="background-color:rgba">Authorization Failed: An
unexpected error prevented the server from
fulfilling your request. {'info': '000020D6: SvcErr:
DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n',
'desc': 'Operations error'} (HTTP 500)<br>
</span></div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</blockquote></div>
So, yes, if you do not explicitly supply the assignements backend,
and the frontend is specified to be LDAP, we assume the assignments
backend is LDAP as well. The reason is to avoid breaking backwards
compat for people that already have LDAP working under Grizzly and
are upgrading.<br></div></blockquote><div><br><br></div><div>I do point Assignment explicitly to the sql backend and Identity to ldap backend. Using the admin token I can also do a user list against AD successfully. But as I said when I unset the ADMIN token and source the keystonerc file with the username/password of the AD user I get this error. This is the same AD user that I am using for keystone to bind to AD (and therefore is used when I use the ADMIN token - this proves that credentials in keystonrc file is valid).<br>
</div><br></div></div></div>