[openstack-dev] Keystone Split Backend LDAP Question
Adam Young
ayoung at redhat.com
Tue Aug 6 00:31:39 UTC 2013
On 08/05/2013 07:37 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
>
> I have been inserting debug logging and stack traces into the code
> base to help find out what is and is not happening.
>
> ·I am able to connect the LDAP backend to our Enterprise Directory and
> perform a REST “get an unscoped token” from keystone. Following is the
> result:
>
> ·*Connection →*keep-alive
>
> ·*Content-Length →*259
>
> ·*Content-Type →*application/json
>
> ·*Date →*Fri, 26 Jul 2013 21:49:16 GMT
>
> ·*Vary →*X-Auth-Token
>
> ·*X-Subject-Token →*cae95a17517245798acb17c47b8eb74b
>
> {
>
> "token": {
>
> "issued_at": "2013-07-26T21:49:16.951821Z",
>
> "extras": {},
>
> "methods": [
>
> "password"
>
> ],
>
> "expires_at": "2045-04-03T19:49:16.951738Z",
>
> "user": {
>
> "domain": {
>
> "id": "default",
>
> "name": "Default"
>
> },
>
> "id": "mark.m.miller at hp.com",
>
> "name": "mark.m.miller at hp.com"
>
> }
>
> }
>
> }
>
> ·When I attempt to assign a role to the user:
>
> Økeystone user-role-add --user "mark.m.miller at hp.com" --role-id
> 7fb862d10b5c46679b4334eae9c73a46 --tenant-id
> 9798b027472d4f459d231c005977b3ac
>
> The “identity/controllers/get_users()” method is called instead of the
> “get_user_by_name()” method.
>
Opened a bug for this.
https://bugs.launchpad.net/keystone/+bug/1208653
> Does anyone know why or how to fix this or if what I am trying to do
> even works?
>
> Regards,
>
> Mark Miller
>
> *From:*Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Sent:* Friday, August 02, 2013 4:00 PM
> *To:* OpenStack Development Mailing List; Adam Young
> (ayoung at redhat.com); Dolph Mathews (dolph.mathews at gmail.com); Yee, Guang
> *Subject:* Re: [openstack-dev] Keystone Split Backend LDAP Question
>
> Hello,
>
> With some minor tweaking of the keystone common/ldap/core.py file, I
> have been able to authenticate and get an unscoped token for a user
> from an LDAP Enterprise Directory. I want to continue testing but I
> have some questions that need to be answered before I can continue.
>
> 1.Do I need to add the user from the LDAP server to the Keystone SQL
> database or will the H-2 code search the LDAP server?
>
> 2.When I performed a “keystone user-list” the following log file
> entries were written indicating that keystone was attempting to get
> all the users on the massive Enterprise Directory. How do we limit
> this query to just the one user or group of users we are interested in?
>
> 2013-07-23 14:04:31 DEBUG [keystone.common.ldap.core] LDAP bind:
> dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] In
> get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] MY query in
> _ldap_get_all: (&)
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] LDAP search:
> dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory',
> 'userPassword', 'hpStatus', 'mail', 'uid']
>
> 3.Next I want to acquire a scoped token. How do I assign the LDAP user
> to a local project?
>
> Regards,
>
> Mark Miller
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130805/54e976e8/attachment.html>
More information about the OpenStack-dev
mailing list