On Mon, Aug 17, 2015 at 4:02 PM, Marc Pape <marc.p...@gmail.com> wrote: > the internal SQL . It would be great if the service users of OpenStack > are also stored in SQL, but they are also currently in the LDAP > deposited.
This is an use case for keystone domains (https://wiki.openstack.org/wiki/Domains) but when we tested it there were many things that didn't work properly. > After restarting the Keystone Service authentication via LDAP is > possible. The user get the message that no projects assigned to him. > Now there are wto problems. How can you log in as admin to assign > projects and keystone said that it couldn't find the service user like > ceilometer, neutron and so on. Assuming you have at least one user you will use as admin, you need to use the ADMIN_TOKEN and give to that user the "admin" role. Then, you can use that user to assign roles to the other users. For instance, openstack --os-token whatever --os-endpoint http://localhost:35357 role add --project foo --user your-admin-user admin At this point your-admin-user can use the standard environment variables/cli opitons (OS_AUTH_URL, OS_USERNAME etc) to give the admin role to the service accounts and standard roles to the users > I've followed the instructions on docs.openstack.org for Identity > management, but i didn't find any notices about that problems. That's because in the standard documentation it is assumed that you can create users, but you can't. There are however instructions on how to use the token and the endpoint to create the first admin user. In your case you don't create the user but just give him/her the "admin" role. .a. -- antonio.s.mess...@gmail.com antonio.mess...@uzh.ch +41 (0)44 635 42 22 S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/ University of Zurich Winterthurerstrasse 190 CH-8057 Zurich Switzerland _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators