<div dir="auto">You should be able to configure keystone to authenticate against "ldap" using your active directory. <div dir="auto"><br></div><div dir="auto">Have you tried that yet?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 14, 2019, 05:33 Colleen Murphy <<a href="mailto:colleen@gazlene.net">colleen@gazlene.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, Feb 13, 2019, at 9:50 AM, Fabian Zimmermann wrote:<br>
> Hi,<br>
> <br>
> thanks for the fast answers.<br>
> <br>
> I asked our ADFS Administrators if they could provide some logs to see <br>
> whats going wrong, but they are unable to deliver these.<br>
<br>
I'm more interested in what you were seeing, both the output from the client and the output from the keystone server if you have access to it.<br>
<br>
> <br>
> So I installed keycloak and switched to OpenID Connect.<br>
> <br>
> Im (again) able to connect via Horizon SSO, but when I try to use <br>
> v3oidcpassword in the CLI Im running into<br>
> <br>
> <a href="https://bugs.launchpad.net/python-openstackclient/+bug/1648580" rel="noreferrer noreferrer" target="_blank">https://bugs.launchpad.net/python-openstackclient/+bug/1648580</a><br>
> <br>
> I already added the suggested --os-client-secret without luck.<br>
> Updating to latest python-versions..<br>
> <br>
> pip install -U python-keystoneclient<br>
> pip install -U python-openstackclient<br>
> <br>
> didnt change anything.<br>
> <br>
> Any ideas what to try next?<br>
<br>
Unfortunately that seems to still be a valid bug that we'll need to address. You could try using the python keystoneauth library directly and see if the issue appears there[1][2].<br>
<br>
[1] <a href="https://docs.openstack.org/keystoneauth/latest/using-sessions.html" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystoneauth/latest/using-sessions.html</a><br>
[2] <a href="https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpassword" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpassword</a><br>
<br>
> <br>
> Offtopic:<br>
> <br>
> Seems like<br>
> <br>
> <a href="https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY" rel="noreferrer noreferrer" target="_blank">https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY</a><br>
> <br>
> is right. I had to change the RedirectURI to geht OpenIDConnect working <br>
> with Keystone. The sample config of<br>
> <br>
> <a href="https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso.html" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso.html</a><br>
> <br>
> is *not working for me*<br>
<br>
I found that too. The in-development documentation has already been fixed[3] but we didn't backport that to the Rocky documentation because it was part of a large series of rewrites and reorgs.<br>
<br>
[3] <a href="https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configure-mod-auth-openidc" rel="noreferrer noreferrer" target="_blank">https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configure-mod-auth-openidc</a><br>
<br>
> <br>
>   Fabian<br>
> <br>
<br>
Colleen<br>
<br>
</blockquote></div>