[openstack-dev] Using AD for keystone authentication only
Adam Young
ayoung at redhat.com
Mon Nov 18 14:51:45 UTC 2013
On 11/15/2013 07:39 PM, Avi L wrote:
>
>> However when I run keystone user-list if gives me the following
>> error:
>> Authorization Failed: An unexpected error prevented the server
>> from fulfilling your request. {'info': '000020D6: SvcErr:
>> DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc':
>> 'Operations error'} (HTTP 500)
>
> This error looks AD specific. I have not seen it from other LDAP
> providers.
>
> When you do a user list, you have to authenticate to AD, which is
> done via A Simple Bind. This is probably not what you want long
> term (External Auth will let you use Kerberos, for example) but to
> start troubleshooting, make sure you can do an ldap query against
> the LDAP as the Admin user. If that works, you should be able to
> do a keystone token-get with that same information
>
>
>
> I can do a user list against AD using the ADMIN token , which is
> binding as the AD user specified in the keystone.conf file. Using the
> ADMIN token I am also giving that user a role of admin and a tenant of
> admin . These are supposedly being stored in the SQL database. Now if
> I change my credentials to the AD user sourcing a keystone rc file and
> run the token-get or user-list command I get this error.
>
ADMIN Token does no authentication against the back end. It is a
bootstrap method for setting up Keystone, nothing else. It should be
disabled as soon as you can authenticate via AD.
I don't think you have successfully authenticated against AD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131118/a238cec2/attachment.html>
More information about the OpenStack-dev
mailing list