[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups
amakarov at mirantis.com
Tue Aug 2 15:46:31 UTC 2016
the problem may be in the following: in Mitaka release keystone requires
user to have a role in the domain it's getting authZ'ing in. We ran into
the problem when Horizon tried to authZ user in Default domain and got
the same error.
On 02.08.2016 16:25, Sean.Boran at swisscom.com wrote:
> I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
> The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.
> What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
> On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)
> Problems when testing with horizon:
> - Login via ldap fails on authorization
> - If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
> This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)
> The /etc/keystone/domains/keystone.example.com is as follows.
> suffix= dc=example,dc=com
> group_objectclass = group
> Debugging for ldap was enabled to see the ldap bins/queries being sent out.
> keystone –version shows 2.3
> Mikata (with initial install done by Fuel).
> Resources consulted so far:
> Book: openstack production recipies.
> Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.
> - Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
> - Or tips on he above?
> - How can one assign users from LDAP to the _members_ or admin groups to get started?
> Thanks in advance,
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack