Open Stack

> 1.  Authentication.  This is done via a simple bind to the LDAP server
> 2.  Get user data.  This is done as an LDAP query to the LDAP server as the 
> system LDAP user, not as the end user.
> 3.  Getting the roles for the user on the project.  If you are request a 
> project scoped token, this would fail if the user had no roles on the 
> project.


Okay, I managed to get our Icehouse system authenticating via AD/LDAP by 
going to git, fetching whatever the latest version of the core.py of LDAP 
and throwing it over top of the one that we're running (which is from yum 
repo from RDO?)

Now we're hitting a:
RESP BODY: {"error": {"message": "User OpenStack Admin is unauthorized for 
tenant c559b2ddf24d4ebc820d91111111111", "code": 401, "title": 
"Unauthorized"}}

(note 111's to scrub data, not natural)


Which may be configuration issue on our side, or might be a result of 
throwing the latest core.py from LDAP on top of older baseline.

Our keystone said it was 0.9.0 I believe.

I got the core.py from here:
https://github.com/openstack/keystone

(Is that Juno release code?)

The Icehouse system would bomb on the LDAP auth part after doing a long 
sequence of:
ldap_get_values_len
ldap_next_attribute

where as the working Havana system would follow that up with a new LDAP 
query (most likely going after groups or other attributes) where as the 
non-working Icehouse I assume quits as password doesn't pass.

I'm guessing (but am not sure) that the repeating calls are it comparing 
the password character by character or something? Not sure.