<div dir="ltr">I've been wondering whether we should have <a href="http://docs.openstack.org/master/">docs.openstack.org/master/</a> to match expectations, would that have helped in your case? Thanks for clarifying. <br>
<br>Anne<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 4, 2013 at 4:22 PM, Steven Presser <span dir="ltr"><<a href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Apparently the trunk docs. I could have sworn that wasn't what I
bookmarked. In any case, maybe explicitly marking trunk docs as
newer-than-latest would help?<br>
<br>
(
<a href="http://docs.openstack.org/trunk/openstack-compute/admin/content/reference-for-ldap-config-options.html" target="_blank">http://docs.openstack.org/trunk/openstack-compute/admin/content/reference-for-ldap-config-options.html</a>)<div>
<div class="h5"><br>
<br>
On 03/04/2013 05:09 PM, Dolph Mathews wrote:
<blockquote type="cite">
<div dir="ltr">Yes, this feature just landed during grizzly-m3.
<div><br>
</div>
<div>Which docs are you referring to? The variable wasn't
included in folsom's etc/keystone.conf.sample, for example.</div>
</div>
<div class="gmail_extra">
<br clear="all">
<div>
<div><br>
</div>
-Dolph</div>
<br>
<br>
<div class="gmail_quote">On Mon, Mar 4, 2013 at 3:35 PM, Steven
Presser <span dir="ltr"><<a href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> The answer would
appear to be that this flag doesn't do anything in the
Folsom release. Apprently this was fixed by:<br>
<a href="https://bugs.launchpad.net/keystone/+bug/1122181" target="_blank">https://bugs.launchpad.net/keystone/+bug/1122181</a><br>
<br>
Unless I'm misreading something. Could we perhaps update
the docs to reflect the fact that this isn't available in
releases yet?
<div>
<div><br>
<br>
On 03/04/2013 04:08 PM, Steven Presser wrote:
<blockquote type="cite"> This is what came out of my
logs. I've bolded what looks relevant to me:<br>
<br>
LDAP init: url=<a>ldap://typhon.acm.jhu.edu</a><br>
2013-03-04 16:06:01 DEBUG
[keystone.common.ldap.core] LDAP bind:
dn=cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>
2013-03-04 16:06:01 DEBUG
[keystone.common.ldap.core] LDAP search:
dn=ou=Users,ou=OpenStack,dc=acm,dc=jhu,dc=edu, <b>scope=1</b>,
query=(objectClass=inetOrgPerson)<br>
<br>
Unless I'm reading that very wrong, my scope search
request is being ignored. Time to dive into the
code, I suppose.<br>
<br>
Steve<br>
<br>
On 03/04/2013 10:15 AM, Dolph Mathews wrote:
<blockquote type="cite">
<div dir="ltr">I'd suggest enabling debug=True in
keystone.conf and comparing the LDAP queries
being issued (shown in logs) against what you're
expecting.
<div>
<div><br>
</div>
<div>I believe that [ldap] query_scope=sub
does in fact expand queries to apply to
subtrees, beyond just a single level (as the
default value is <span style="font-family:arial,sans-serif;font-size:13px">query_scope=one).</span></div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div><br>
</div>
-Dolph</div>
<br>
<br>
<div class="gmail_quote">On Sun, Mar 3, 2013 at
12:05 PM, Steven Presser <span dir="ltr"><<a href="mailto:spresse1@jhu.edu" target="_blank">spresse1@jhu.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hey all,<br>
I have some questions about using the
LDAP backend for keystone. I'm in what
seems to be an odd situation. I have an
organization-wide DLAP directory that
already exists. All of our users will have
access to OpenStack, so we want to tie
directly into this directory. However, we
can't have service accounts mixed in with
the regular users, at least not in any way
that might result in you being able to log
in to a service account. For neatness, the
directory admin would prefer that all the
OpenStack stuff be off in its own OU (and
has allocated us one so we can do that).<br>
In that OU, I've set up the recommended
schema from <a href="http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html" target="_blank">http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html</a>
(changing it to my domain, obviously). I
then aliased all our users in to ou=Users.
The relevant part of my keystone.conf
currently looks like:<br>
<br>
[ldap]<br>
url = <a>ldap://</a>[host]<br>
user =
cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu<br>
password = [password]<br>
suffix = dc=acm,dc=jhu,dc=edu<br>
use_dumb_member = False<br>
allow_subtree_delete = False<br>
query_scope = sub<br>
<br>
As near as I can tell, this should
correspond to this query:<br>
$ ldapsearch -x -D
cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu
-w [password] -b dc=acm,dc=jhu,dc=edu
'(objectclass=inetOrgPerson)' -s sub<br>
<br>
Which returns my aliased users correctly.
(that is, it returns "dn:
uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu"
for each user).<br>
<br>
I really can't figure out whats going on
here. Logically, this should work, but
(obviously) doesn't. Anyone have some
advice for me? My suspicion is that
query_scope=sub isn't doing what I expect.
(Returning search results from within a
subtree)<br>
<br>
Oh, finally, I have DEREF always enabled in
ldap.conf.<br>
<br>
Thanks,<br>
Steve<br>
<br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>