[Openstack] enforce admin_required with LDAP admin user

Adam Young ayoung at redhat.com
Tue Jul 17 13:49:25 UTC 2012 

You need an admin token and to go against port 35357 for those types of 
operations.  A basic user does not have permission to do so.  It has 
nothing to do with LDAP.


On 05/22/2012 11:47 AM, Sharif Islam wrote:
> I think my LDAP bind is working by tenant-list and user-list gives me
> admin_required error.
>
> Looks like the LDAP admin user does not have any roles. is that the issue?
>
>
>
> # keystone discover
> Keystone found at http://localhost:5000/v2.0/
>      - supports version v2.0 (beta) here http://149.165.159.121:5000/v2.0/
> root at i121:~# keystone service-list
> +----+------+------+-------------+
> | id | name | type | description |
> +----+------+------+-------------+
> +----+------+------+-------------+
> root at i121:~# keystone user-list
> No handlers could be found for logger "keystoneclient.client"
> You are not authorized to perform the requested action: admin_required
> (HTTP 403)
> root at i121:~# keystone tenant-list
> No handlers could be found for logger "keystoneclient.client"
> You are not authorized to perform the requested action: admin_required
> (HTTP 403)
>
>
>
>> keystone.common.ldap.core): 2012-05-22 11:36:02,263 DEBUG LDAP init: url=ldap://ldap.project.org
>> (keystone.common.ldap.core): 2012-05-22 11:36:02,263 DEBUG LDAP bind: dn=uid=user,ou=People,dc=project,dc=org
>> (keystone.common.ldap.core): 2012-05-22 11:36:02,271 DEBUG LDAP search: dn=ou=ostenants,dc=project,dc=org, scope=1, query=(&(member=uid=admin,ou=People,dc=project,dc=org)(objectClass=groupOfNames))
>> (root): 2012-05-22 11:36:02,425 DEBUG TOKEN_REF {'id': 'dfc4b2ecexxxd014x280d91efeecda06', 'expires': datetime.datetime(2012, 5, 23, 15, 36, 2, 274565), 'user': {'id': 'admin', 'name': 'admin'}, 'tenant': {'id': 'admin', 'name': 'admin'}, 'metadata': {}}
>> (eventlet.wsgi.server): 2012-05-22 11:36:02,426 DEBUG 127.0.0.1 - - [22/May/2012 11:36:02] "POST /v2.0/tokens HTTP/1.1" 200 1762 0.166139
>> (keystone.policy.backends.rules): 2012-05-22 11:36:02,439 DEBUG enforce admin_required: {'tenant_id': u'admin', 'user_id': u'admin', 'roles': []}
>
>
> --sharif
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

More information about the Openstack mailing list