<div dir="ltr">Yes, this feature just landed during grizzly-m3.<div><br></div><div>Which docs are you referring to? The variable wasn't included in folsom's etc/keystone.conf.sample, for example.</div></div><div class="gmail_extra">
<br clear="all"><div><div><br></div>-Dolph</div>
<br><br><div class="gmail_quote">On Mon, Mar 4, 2013 at 3:35 PM, Steven Presser <span dir="ltr"><<a href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
The answer would appear to be that this flag doesn't do anything in
the Folsom release. Apprently this was fixed by:<br>
<a href="https://bugs.launchpad.net/keystone/+bug/1122181" target="_blank">https://bugs.launchpad.net/keystone/+bug/1122181</a><br>
<br>
Unless I'm misreading something. Could we perhaps update the docs
to reflect the fact that this isn't available in releases yet?<div><div class="h5"><br>
<br>
On 03/04/2013 04:08 PM, Steven Presser wrote:
<blockquote type="cite">
This is what came out of my logs. I've bolded what looks relevant
to me:<br>
<br>
LDAP init: url=<a>ldap://typhon.acm.jhu.edu</a><br>
2013-03-04 16:06:01 DEBUG [keystone.common.ldap.core] LDAP
bind: dn=cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>
2013-03-04 16:06:01 DEBUG [keystone.common.ldap.core] LDAP
search: dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, <b>scope=1</b>,
query=(objectClass=inetOrgPerson)<br>
<br>
Unless I'm reading that very wrong, my scope search request is
being ignored. Time to dive into the code, I suppose.<br>
<br>
Steve<br>
<br>
On 03/04/2013 10:15 AM, Dolph Mathews wrote:
<blockquote type="cite">
<div dir="ltr">I'd suggest enabling debug=True in keystone.conf
and comparing the LDAP queries being issued (shown in logs)
against what you're expecting.
<div>
<div><br>
</div>
<div>I believe that [ldap] query_scope=sub does in
fact expand queries to apply to subtrees, beyond just a
single level (as the default value is <span style="font-family:arial,sans-serif;font-size:13px">query_scope=one).</span></div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div><br>
</div>
-Dolph</div>
<br>
<br>
<div class="gmail_quote">On Sun, Mar 3, 2013 at 12:05 PM,
Steven Presser <span dir="ltr"><<a href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hey
all,<br>
I have some questions about using the LDAP backend for
keystone. I'm in what seems to be an odd situation. I
have an organization-wide DLAP directory that already
exists. All of our users will have access to OpenStack,
so we want to tie directly into this directory. However,
we can't have service accounts mixed in with the regular
users, at least not in any way that might result in you
being able to log in to a service account. For neatness,
the directory admin would prefer that all the OpenStack
stuff be off in its own OU (and has allocated us one so we
can do that).<br>
In that OU, I've set up the recommended schema from <a href="http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html" target="_blank">http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html</a>
(changing it to my domain, obviously). I then aliased all
our users in to ou=Users. The relevant part of my
keystone.conf currently looks like:<br>
<br>
[ldap]<br>
url = <a>ldap://</a>[host]<br>
user = cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>
password = [password]<br>
suffix = dc=acm,dc=jhu,dc=edu<br>
use_dumb_member = False<br>
allow_subtree_delete = False<br>
query_scope = sub<br>
<br>
As near as I can tell, this should correspond to this
query:<br>
$ ldapsearch -x -D
cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu -w [password]
-b dc=acm,dc=jhu,dc=edu '(objectclass=inetOrgPerson)' -s
sub<br>
<br>
Which returns my aliased users correctly. (that is, it
returns "dn: uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu" for
each user).<br>
<br>
I really can't figure out whats going on here. Logically,
this should work, but (obviously) doesn't. Anyone have
some advice for me? My suspicion is that query_scope=sub
isn't doing what I expect. (Returning search results from
within a subtree)<br>
<br>
Oh, finally, I have DEREF always enabled in ldap.conf.<br>
<br>
Thanks,<br>
Steve<br>
<br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
</div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>