<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Nov 18, 2013 at 6:51 AM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div><br>
</div>
<br></div>
ADMIN Token does no authentication against the back end. It is a
bootstrap method for setting up Keystone, nothing else. It should
be disabled as soon as you can authenticate via AD.<br>
<br>
I don't think you have successfully authenticated against AD.<br>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></blockquote><div><br></div><div><br>Our AD server does not allow anonymous browse so I am sure that when ADMIN token is used it is binding (authenticating) as the bind user mentioned in keystone configuration file and is able to show the user list. What I don't understand is that when I am using the same user in keystonerc file it is not working , and I beleive it is somehow looking for projects and tenant information in AD , even though the assignment driver is pointing to sql as the backend.<br>
</div></div></div></div>