[openstack-dev] Keystone Split Backend LDAP Question

Adam Young ayoung at redhat.com
Tue Aug 6 00:29:27 UTC 2013


On 08/02/2013 06:59 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) 
wrote:
>
> Hello,
>
> With some minor tweaking of the keystone common/ldap/core.py file, I 
> have been able to authenticate and get an unscoped token for a user 
> from an LDAP Enterprise Directory. I want to continue testing but I 
> have some questions that need to be answered before I can continue.
>
> 1.Do I need to add the user from the LDAP server to the Keystone SQL 
> database or will the H-2 code search the LDAP server?
>
No.  there is no entry in SQL for the user, only in LDAP.
>
> 2.When I performed a "keystone user-list" the following log file 
> entries were written indicating that keystone was attempting to get 
> all the users on the massive Enterprise Directory. How do we limit 
> this query to just the one user or group of users we are interested in?
>
> 2013-07-23 14:04:31    DEBUG [keystone.common.ldap.core] LDAP bind: 
> dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] In 
> get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] MY query in 
> _ldap_get_all: (&)
>
> 2013-07-23 14:04:32    DEBUG [keystone.common.ldap.core] LDAP search: 
> dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory', 
> 'userPassword', 'hpStatus', 'mail', 'uid']
>

I think this bug is filed here:
https://bugs.launchpad.net/keystone/+bug/1205150

I've grabbed it/

> 3.Next I want to acquire a scoped token. How do I assign the LDAP user 
> to a local project?
>
Use hte normal Keystone api for that.  THe project and assignments all 
happed in the SQL backend.


> Regards,
>
> Mark Miller
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130805/c1566d0a/attachment.html>


More information about the OpenStack-dev mailing list