<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This is what came out of my logs. I've bolded what looks relevant
to me:<br>
<br>
LDAP init: url=<a class="moz-txt-link-freetext" href="ldap://typhon.acm.jhu.edu">ldap://typhon.acm.jhu.edu</a><br>
2013-03-04 16:06:01 DEBUG [keystone.common.ldap.core] LDAP bind:
dn=cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>
2013-03-04 16:06:01 DEBUG [keystone.common.ldap.core] LDAP
search: dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, <b>scope=1</b>,
query=(objectClass=inetOrgPerson)<br>
<br>
Unless I'm reading that very wrong, my scope search request is being
ignored. Time to dive into the code, I suppose.<br>
<br>
Steve<br>
<br>
On 03/04/2013 10:15 AM, Dolph Mathews wrote:
<blockquote
cite="mid:CAC=h7gUfwkJR04xX3ioP4khvLjZDwg6Hz0fFMXD7Jobwwk+n2A@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">I'd suggest enabling debug=True in keystone.conf
and comparing the LDAP queries being issued (shown in logs)
against what you're expecting.
<div>
<div><br>
</div>
<div style="">I believe that [ldap] query_scope=sub does in
fact expand queries to apply to subtrees, beyond just a
single level (as the default value is <span
style="font-family:arial,sans-serif;font-size:13px">query_scope=one).</span></div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div><br>
</div>
-Dolph</div>
<br>
<br>
<div class="gmail_quote">On Sun, Mar 3, 2013 at 12:05 PM, Steven
Presser <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hey all,<br>
I have some questions about using the LDAP backend for
keystone. I'm in what seems to be an odd situation. I have
an organization-wide DLAP directory that already exists.
All of our users will have access to OpenStack, so we want
to tie directly into this directory. However, we can't have
service accounts mixed in with the regular users, at least
not in any way that might result in you being able to log in
to a service account. For neatness, the directory admin
would prefer that all the OpenStack stuff be off in its own
OU (and has allocated us one so we can do that).<br>
In that OU, I've set up the recommended schema from <a
moz-do-not-send="true"
href="http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html"
target="_blank">http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html</a>
(changing it to my domain, obviously). I then aliased all
our users in to ou=Users. The relevant part of my
keystone.conf currently looks like:<br>
<br>
[ldap]<br>
url = <a class="moz-txt-link-freetext" href="ldap://">ldap://</a>[host]<br>
user = cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>
password = [password]<br>
suffix = dc=acm,dc=jhu,dc=edu<br>
use_dumb_member = False<br>
allow_subtree_delete = False<br>
query_scope = sub<br>
<br>
As near as I can tell, this should correspond to this query:<br>
$ ldapsearch -x -D cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu
-w [password] -b dc=acm,dc=jhu,dc=edu
'(objectclass=inetOrgPerson)' -s sub<br>
<br>
Which returns my aliased users correctly. (that is, it
returns "dn: uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu" for
each user).<br>
<br>
I really can't figure out whats going on here. Logically,
this should work, but (obviously) doesn't. Anyone have some
advice for me? My suspicion is that query_scope=sub isn't
doing what I expect. (Returning search results from within
a subtree)<br>
<br>
Oh, finally, I have DEREF always enabled in ldap.conf.<br>
<br>
Thanks,<br>
Steve<br>
<br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net"
target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</body>
</html>