[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean.Boran at swisscom.com Sean.Boran at swisscom.com
Fri Aug 5 07:10:51 UTC 2016


By setting the following one can limit the number of users shown (see also https://bugs.launchpad.net/keystone/+bug/1501698 which shows the commit earlier this year to include that feature)

list_limit = 50

The efficiency of the query for getting users can be improved by the following (see http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx for very useful ldap queries for AD)

so now when one goes to horizon/identity/domains/ in the browser and then selects “manage members” from the dropdown for the LDAP domain, a list of 50 users pops up (and there are no errors such as SIZELIMIT_EXCEEDED).

The problem: One can see 50 users and search for a user within that list, however one cannot search for others users  ☹.
Domain Groups have the same limitation.
This looks like a limitation in Horizon, ah found this bug report https://bugs.launchpad.net/horizon/+bug/1496045
To me it looks like support for LDAP paging needs to be added http://jeftek.com/219/avoid-changing-the-maxpagesize-ldap-query-policy ?

Any suggestions on a workaround?
- Is there a way on the command line or API, perhaps, to assign an individual user or group from LDAP to a group such as _member_?  i.e. without pulling down the complete list?

Regards, Sean.

On 02/08/16 18:20, "Boran Sean, INI-INO-SWD" <Sean.Boran at swisscom.com> wrote:


So I logged in as admin/default, then switched to the ldap domain(horizon/identity/domains/), added a role.
Next try to add a user to that role (/horizon/identity/users), but “Unable to retrieve user list”.

In /var/log/user.log I see

LDAP bind: who=cn=bind-user,dc=example,dc=net
<14>Aug  2 16:12:45 node-16 admin: 2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

If the ldap query “(&(objectClass=person)(cn=*))” is run through the CLI ldapsearch, it does return a long list of thousands of users.

Ah, just noticed /var/log/keystone/admin.log

2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi     result = func(*args,**kwargs)
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi SIZELIMIT_EXCEEDED: {'desc': 'Size limit exceeded'}

I wonder if there is a way for the UI to only fetch the first 100 users, or not to fetch any list, but just one by one?



On 02/08/16 17:46, "Alexander Makarov" <amakarov at mirantis.com> wrote:


the problem may be in the following: in Mitaka release keystone requires 
user to have a role in the domain it's getting authZ'ing in. We ran into 
the problem when Horizon tried to authZ user in Default domain and got 
the same error.

On 02.08.2016 16:25, Sean.Boran at swisscom.com wrote:
> Hi,
> I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
> The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.
> What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
> On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)
> Problems when testing with horizon:
> - Login via ldap fails on authorization
> - If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
> This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)
> The /etc/keystone/domains/keystone.example.com is as follows.
> [ldap]
> user_enabled_attribute=userAccountControl
> query_scope=sub
> user_filter=
> group_allow_delete=False
> page_size=0
> use_tls=False
> password=NOT_HERE
> user_allow_update=False
> user_id_attribute=cn
> user_enabled_mask=2
> suffix= dc=example,dc=com
> user_enabled_default=512
> group_allow_update=False
> user_name_attribute=sAMAccountName
> chase_referrals=False
> group_allow_create=False
> user_allow_delete=False
> group_name_attribute=cn
> group_filter=
> group_member_attribute=member
> group_tree_dn=dc=example,dc=com
> group_objectclass = group
> group_desc_attribute=
> group_id_attribute=
> user_pass_attribute=userPassword
> user=cn=my-service-user
> user_allow_create=False
> user_tree_dn=dc=example,dc=com
> url=ldap://ldap.example.com
> user_objectclass=person
> [identity]
> driver=keystone.identity.backends.ldap.Identity
> Debugging for ldap was enabled to see the ldap bins/queries being sent out.
> Versions:
> keystone –version shows 2.3
> Mikata (with initial install done by Fuel).
> Resources consulted so far:
> http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
> http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
> Book: openstack production recipies.
> Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.
> Questions:
> - Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
> - Or tips on he above?
> - How can one assign users from LDAP to the _members_ or admin groups to get started?
> Thanks in advance,
> Sean
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list