[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean.Boran at swisscom.com Sean.Boran at swisscom.com
Tue Aug 2 16:29:51 UTC 2016 

1. For example, to list users:
ldapsearch -x -D cn='service-account,dc=example,dc=net' '(&(objectClass=person)(cn=*))'  -W

2. admin_token is not commented it has a hash value, so doing

curl -v -s -H "X-Auth-Token: <MY HASH>" http://192.168.0.2:5000/v3/users

< HTTP/1.1 401 Unauthorized

in the keystone logs
2016-08-02 16:26:56.559 5368 INFO keystone.common.wsgi [req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] GET http://192.168.0.2:5000/v3/users
2016-08-02 16:26:56.560 5368 WARNING keystone.common.controller [req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] RBAC: Bypassing authorization
2016-08-02 16:26:56.561 5368 WARNING keystone.common.utils [req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] Couldn't find the auth context.
2016-08-02 16:26:56.562 5368 WARNING keystone.common.wsgi [req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.0.2

I don’t see any ldap in syslog.

Sean


From: Kseniya Tychkova <ktychkova at mirantis.com>
Date: Tuesday 2 August 2016 at 16:46
To: "openstack at lists.openstack.org" <openstack at lists.openstack.org>, "Boran Sean, INI-INO-BX-IT" <Sean.Boran at swisscom.com>
Subject: [Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean,
I would like to help you, but I need more information
1. could you please explain what means your phrase:
"On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)"
2. please try to use curl to debug:
 - uncomment "admin_token = ADMIN" in your /etc/keystone/keystone.conf and restart keystone
 - curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/users
 - curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/groups
3. If something wrong go to keystone log, keystone logs ldap requests, so you can see them and verify them



Kind regards, Kseniya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160802/49abfc7b/attachment.html>

More information about the Openstack mailing list