[openstack-dev] Keystone Split Backend LDAP Problem (LDAPS)

Adam Young ayoung at redhat.com
Tue Aug 6 21:09:12 UTC 2013


On 08/06/2013 05:02 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
>
> Next problem:
>
> I am using ldaps to connect to the LDAP server. Although I am not
> using TLS, I do need to set/use the ldap.OPT_X_TLS_CERTFILE option.
> However, the current has no way to let me do this so I have added an
> if statement in the following code to temporarily get around this
> issue (file keystone/common/ldap/core.py). This may not be the best
> place/way to fix my problem. Please let me know if I need to use some
> other configuration parameters in keystone.conf or if I have found a bug.
>
This looks like Windows. I thought that implied TLS.
However, there is a certfile parameter on the LDAP backend already, just
for TLS. LDAP.tls_cacertfile

I think it will be OK to conditionally set the options based on the
presence of this variable in the LDAPS code path:


if CONF.LDAP.tls_cacertfile:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CONF.LDAP.tls_cacertfile )


> Similar Python sample code:
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
> "d:/etc/ssl/certs/hpca2ssG2_ns.cer")
>
> # ldap.set_option( ldap.OPT_DEBUG_LEVEL, 255 )
>
> ldap_client = ldap.initialize(host)
>
> ldap_client.protocol_version = ldap.VERSION3
>
> ldap_client.simple_bind_s(binduser,bindpw)
>
> ldapBound = True
>
> filter = '(uid=mark.m*)'
>
> attrs = ['cn', 'mail', 'uid', 'hpStatus']
>
> print ("base: %s, scope: %s, filter: %s, attrs:%s" % (base, scope,
> filter, attrs))
>
> r = ldap_client.search_s(base, scope, filter, attrs)
>
> Mark
>
> *From:*Adam Young [mailto:ayoung at redhat.com]
> *Sent:* Monday, August 05, 2013 5:32 PM
> *To:* Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Cc:* OpenStack Development Mailing List; Dolph Mathews
> (dolph.mathews at gmail.com); Yee, Guang
> *Subject:* Re: Keystone Split Backend LDAP Question
>
> On 08/05/2013 07:37 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> wrote:
>
>     I have been inserting debug logging and stack traces into the code
>     base to help find out what is and is not happening.
>
>     ·I am able to connect the LDAP backend to our Enterprise Directory
>     and perform a REST “get an unscoped token” from keystone.
>     Following is the result:
>
>     ·*Connection →*keep-alive
>
>     ·*Content-Length →*259
>
>     ·*Content-Type →*application/json
>
>     ·*Date →*Fri, 26 Jul 2013 21:49:16 GMT
>
>     ·*Vary →*X-Auth-Token
>
>     ·*X-Subject-Token →*cae95a17517245798acb17c47b8eb74b
>
>     {
>
>     "token": {
>
>     "issued_at": "2013-07-26T21:49:16.951821Z",
>
>     "extras": {},
>
>     "methods": [
>
>     "password"
>
>     ],
>
>     "expires_at": "2045-04-03T19:49:16.951738Z",
>
>     "user": {
>
>     "domain": {
>
>     "id": "default",
>
>     "name": "Default"
>
>     },
>
>     "id": "mark.m.miller at hp.com" <mailto:mark.m.miller at hp.com>,
>
>     "name": "mark.m.miller at hp.com" <mailto:mark.m.miller at hp.com>
>
>     }
>
>     }
>
>     }
>
>     ·When I attempt to assign a role to the user:
>
>     Økeystone user-role-add --user "mark.m.miller at hp.com"
>     <mailto:mark.m.miller at hp.com> --role-id
>     7fb862d10b5c46679b4334eae9c73a46 --tenant-id
>     9798b027472d4f459d231c005977b3ac
>
>     The “identity/controllers/get_users()” method is called instead of
>     the “get_user_by_name()” method.
>
>
> Opened a bug for this.
> https://bugs.launchpad.net/keystone/+bug/1208653
>
>
> Does anyone know why or how to fix this or if what I am trying to do
> even works?
>
> Regards,
>
> Mark Miller
>
> *From:*Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Sent:* Friday, August 02, 2013 4:00 PM
> *To:* OpenStack Development Mailing List; Adam Young
> (ayoung at redhat.com <mailto:ayoung at redhat.com>); Dolph Mathews
> (dolph.mathews at gmail.com <mailto:dolph.mathews at gmail.com>); Yee, Guang
> *Subject:* Re: [openstack-dev] Keystone Split Backend LDAP Question
>
> Hello,
>
> With some minor tweaking of the keystone common/ldap/core.py file, I
> have been able to authenticate and get an unscoped token for a user
> from an LDAP Enterprise Directory. I want to continue testing but I
> have some questions that need to be answered before I can continue.
>
> 1.Do I need to add the user from the LDAP server to the Keystone SQL
> database or will the H-2 code search the LDAP server?
>
> 2.When I performed a “keystone user-list” the following log file
> entries were written indicating that keystone was attempting to get
> all the users on the massive Enterprise Directory. How do we limit
> this query to just the one user or group of users we are interested in?
>
> 2013-07-23 14:04:31 DEBUG [keystone.common.ldap.core] LDAP bind:
> dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] In
> get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] MY query in
> _ldap_get_all: (&)
>
> 2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] LDAP search:
> dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory',
> 'userPassword', 'hpStatus', 'mail', 'uid']
>
> 3.Next I want to acquire a scoped token. How do I assign the LDAP user
> to a local project?
>
> Regards,
>
> Mark Miller
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130806/c35aa8ac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 275346 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130806/c35aa8ac/attachment-0001.png>


More information about the OpenStack-dev mailing list