[Openstack-operators] Problems with OpenStack and LDAP

Antonio Messina antonio.s.messina at gmail.com
Mon Aug 17 14:18:00 UTC 2015

On Mon, Aug 17, 2015 at 4:02 PM, Marc Pape <marc.pape at gmail.com> wrote:
> the internal SQL . It would be great if the service users of OpenStack
> are also stored in SQL, but they are also currently in the LDAP
> deposited.

This is an use case for keystone domains
(https://wiki.openstack.org/wiki/Domains) but when we tested it there
were many things that didn't work properly.

> After restarting the Keystone Service authentication via LDAP is
> possible. The user get the message that no projects assigned to him.
> Now there are wto problems. How can you log in as admin to assign
> projects and keystone said that it couldn't find the service user like
> ceilometer, neutron and so on.

Assuming you have at least one user you will use as admin, you need to
use the ADMIN_TOKEN and give to that user the "admin" role. Then, you
can use that user to assign roles to the other users.

For instance,

openstack --os-token whatever --os-endpoint http://localhost:35357
role add --project foo --user your-admin-user admin

At this point your-admin-user can use the standard environment
variables/cli opitons (OS_AUTH_URL, OS_USERNAME etc) to give the admin
role to the service accounts and standard roles to the users

> I've followed the instructions on docs.openstack.org for Identity
> management, but i didn't find any notices about that problems.

That's because in the standard documentation it is assumed that you
can create users, but you can't. There are however instructions on how
to use the token and the endpoint to create the first admin user. In
your case you don't create the user but just give him/her the "admin"


antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland

More information about the OpenStack-operators mailing list