Open Stack

I have installed openstack-keystone-2013.2-0.11.b3.el6.noarch rpm and I
added a active directory user "test123" with role admin and tenant admin
successfully.

However when I run keystone user-list if gives me the following error:
Authorization Failed: An unexpected error prevented the server from
fulfilling your request. {'info': '000020D6: SvcErr: DSID-031007DB, problem
5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} (HTTP 500)

I am not sure why it is looking at the Active Directory for authorization?
In keystone.conf I am only using ldap for the Identity section. The
credential and Assignment points to sql.


On Thu, Nov 14, 2013 at 10:17 AM, Avi L <aviostack at gmail.com> wrote:

> Thanks for your help. So in this case the uid parameter to user-role-add
> will be any of the AD attribute that I specify in the keystone.conf file ,
> i.e sAMAccountname? Also I assume that in this case there will be no
> entries of the user in the local sql users table , nor would any id
> assigned to individual users by keystone?  Also in this case will user-list
> show all the users in the Active Directory under the user tree?
>
> BTW is there a rpm available for havana keystone release for centOS/RHEL?
>
>
> On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>
>> You can assign roles to users in keystoneclient ($ keystone help
>> user-role-add) -- the assignment would be persisted in SQL. openstackclient
>> supports assignments to groups as well if you switch to
>> --identity-api-version=3
>>
>> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviostack at gmail.com> wrote:
>>
>>> Oh ok so in this case how does the Active Directory user gets a id , and
>>> how do you map the user to a role? Is there any example you can point me
>>> to?
>>>
>>>
>>>  On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <
>>> dolph.mathews at gmail.com> wrote:
>>>
>>>>  Yes, that's the preferred approach in Havana: Users and Groups via
>>>> LDAP, and everything else via SQL.
>>>>
>>>>
>>>> On Wednesday, November 13, 2013, Avi L wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I understand that the LDAP provider in keystone can be used for
>>>>> authenticating a user (i.e validate username and password) , and it also
>>>>> authorize it against roles and tenant. However this requires AD schema
>>>>> modification. Is it possible to use AD only for authentication and then use
>>>>> keystone's native database for roles and tenant lookup? The advantage is
>>>>> that then we don't need to touch the enterprise AD installation.
>>>>>
>>>>> Thanks
>>>>> Al
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> -Dolph
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>>
>> -Dolph
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131114/2cdeaf8f/attachment.html>