[openstack-dev] Keystone Split Backend LDAP Question
Adam Young
ayoung at redhat.com
Tue Aug 6 00:29:27 UTC 2013
On 08/02/2013 06:59 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
>
> Hello,
>
> With some minor tweaking of the keystone common/ldap/core.py file, I
> have been able to authenticate and get an unscoped token for a user
> from an LDAP Enterprise Directory. I want to continue testing but I
> have some questions that need to be answered before I can continue.
>
> 1.Do I need to add the user from the LDAP server to the Keystone SQL
> database or will the H-2 code search the LDAP server?
>
No. there is no entry in SQL for the user, only in LDAP.
>
> 2.When I performed a "keystone user-list" the following log file
> entries were written indicating that keystone was attempting to get
> all the users on the massive Enterprise Directory. How do we limit
> this query to just the one user or group of users we are interested in?
>
> 2013-07-23 14:04:31 DEBUG [keystone.common.ldap.core] LDAP bind:
> dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] In
> get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] MY query in
> _ldap_get_all: (&)
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] LDAP search:
> dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory',
> 'userPassword', 'hpStatus', 'mail', 'uid']
>
I think this bug is filed here:
https://bugs.launchpad.net/keystone/+bug/1205150
I've grabbed it/
> 3.Next I want to acquire a scoped token. How do I assign the LDAP user
> to a local project?
>
Use hte normal Keystone api for that. THe project and assignments all
happed in the SQL backend.
> Regards,
>
> Mark Miller
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130805/c1566d0a/attachment.html>
More information about the OpenStack-dev
mailing list