<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    This is what came out of my logs.  I've bolded what looks relevant

    to me:<br>

    <br>

    LDAP init: url=<a class="moz-txt-link-freetext" href="ldap://typhon.acm.jhu.edu">ldap://typhon.acm.jhu.edu</a><br>

    2013-03-04 16:06:01    DEBUG [keystone.common.ldap.core] LDAP bind:

    dn=cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>

    2013-03-04 16:06:01    DEBUG [keystone.common.ldap.core] LDAP

    search: dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, <b>scope=1</b>,

    query=(objectClass=inetOrgPerson)<br>

    <br>

    Unless I'm reading that very wrong, my scope search request is being

    ignored.  Time to dive into the code, I suppose.<br>

    <br>

    Steve<br>

    <br>

    On 03/04/2013 10:15 AM, Dolph Mathews wrote:

    <blockquote

cite="mid:CAC=h7gUfwkJR04xX3ioP4khvLjZDwg6Hz0fFMXD7Jobwwk+n2A@mail.gmail.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html;

        charset=ISO-8859-1">

      <div dir="ltr">I'd suggest enabling debug=True in keystone.conf

        and comparing the LDAP queries being issued (shown in logs)

        against what you're expecting.

        <div>

          <div><br>

          </div>

          <div style="">I believe that [ldap] query_scope=sub does in

            fact expand queries to apply to subtrees, beyond just a

            single level (as the default value is <span

              style="font-family:arial,sans-serif;font-size:13px">query_scope=one).</span></div>

        </div>

      </div>

      <div class="gmail_extra"><br clear="all">

        <div>

          <div><br>

          </div>

          -Dolph</div>

        <br>

        <br>

        <div class="gmail_quote">On Sun, Mar 3, 2013 at 12:05 PM, Steven

          Presser <span dir="ltr"><<a moz-do-not-send="true"

              href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">

            Hey all,<br>

                I have some questions about using the LDAP backend for

            keystone.  I'm in what seems to be an odd situation.  I have

            an organization-wide DLAP directory that already exists.

             All of our users will have access to OpenStack, so we want

            to tie directly into this directory.  However, we can't have

            service accounts mixed in with the regular users, at least

            not in any way that might result in you being able to log in

            to a service account.  For neatness, the directory admin

            would prefer that all the OpenStack stuff be off in its own

            OU (and has allocated us one so we can do that).<br>

                In that OU, I've set up the recommended schema from <a

              moz-do-not-send="true"

href="http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html"

              target="_blank">http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html</a>

            (changing it to my domain, obviously).  I then aliased all

            our users in to ou=Users.  The relevant part of my

            keystone.conf currently looks like:<br>

            <br>

            [ldap]<br>

            url = <a class="moz-txt-link-freetext" href="ldap://">ldap://</a>[host]<br>

            user = cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>

            password = [password]<br>

            suffix = dc=acm,dc=jhu,dc=edu<br>

            use_dumb_member = False<br>

            allow_subtree_delete = False<br>

            query_scope = sub<br>

            <br>

            As near as I can tell, this should correspond to this query:<br>

            $ ldapsearch -x  -D cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu

            -w [password]  -b dc=acm,dc=jhu,dc=edu

            '(objectclass=inetOrgPerson)' -s sub<br>

            <br>

            Which returns my aliased users correctly.  (that is, it

            returns "dn: uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu" for

            each user).<br>

            <br>

            I really can't figure out whats going on here.  Logically,

            this should work, but (obviously) doesn't.  Anyone have some

            advice for me?   My suspicion is that query_scope=sub isn't

            doing what I expect.  (Returning search results from within

            a subtree)<br>

            <br>

            Oh, finally, I have DEREF always enabled in ldap.conf.<br>

            <br>

            Thanks,<br>

            Steve<br>

            <br>

            <br>

            <br>

            _______________________________________________<br>

            Mailing list: <a moz-do-not-send="true"

              href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>

            Post to     : <a moz-do-not-send="true"

              href="mailto:openstack@lists.launchpad.net"

              target="_blank">openstack@lists.launchpad.net</a><br>

            Unsubscribe : <a moz-do-not-send="true"

              href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>

            More help   : <a moz-do-not-send="true"

              href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>

          </blockquote>

        </div>

        <br>

      </div>

    </blockquote>

  </body>

</html>