Sean,
the problem may be in the following: in Mitaka release keystone requires
user to have a role in the domain it's getting authZ'ing in. We ran into
the problem when Horizon tried to authZ user in Default domain and got
the same error.
On 02.08.2016 16:25, sean.bo...@swisscom.com wrote:
Hi,
I’m having a bit of fun try to use AD for identifying and authorising Users on
Openstack .
The idea is to use AD for read-only access to users/group definitions, but all
authorisation data to be stored in SQL.
What works: Users can be authenticated (LDAP bind works, verification of the user), but
not yet authorised – one gets "You are not authorized for any projects or
domains" after authentication (integration of groups).
On the command line with ldapsearch, users and groups can be listed (so the
attributes configured should be ok?)
Problems when testing with horizon:
- Login via ldap fails on authorization
- If logged in as admin in the default (sql) domain, the LDAP domain can be
viewed at /horizon/identity/domains/ but users and groups cannot be managed
“Unable to retrieve group list”, “Unable to retrieve user list”
This may also be since the AD contains about 20’000 users (too much data for
the user/group management screen)
The /etc/keystone/domains/keystone.example.com is as follows.
[ldap]
user_enabled_attribute=userAccountControl
query_scope=sub
user_filter=
group_allow_delete=False
page_size=0
use_tls=False
password=NOT_HERE
user_allow_update=False
user_id_attribute=cn
user_enabled_mask=2
suffix= dc=example,dc=com
user_enabled_default=512
group_allow_update=False
user_name_attribute=sAMAccountName
chase_referrals=False
group_allow_create=False
user_allow_delete=False
group_name_attribute=cn
group_filter=
group_member_attribute=member
group_tree_dn=dc=example,dc=com
group_objectclass = group
group_desc_attribute=
group_id_attribute=
user_pass_attribute=userPassword
user=cn=my-service-user
user_allow_create=False
user_tree_dn=dc=example,dc=com
url=ldap://ldap.example.com
user_objectclass=person
[identity]
driver=keystone.identity.backends.ldap.Identity
Debugging for ldap was enabled to see the ldap bins/queries being sent out.
Versions:
keystone –version shows 2.3
Mikata (with initial install done by Fuel).
Resources consulted so far:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
Book: openstack production recipies.
Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused
there.
Questions:
- Are there any good resources out there for AD integration? E.g. How
user/group/roles work within an ldap context?
- Or tips on he above?
- How can one assign users from LDAP to the _members_ or admin groups to get
started?
Thanks in advance,
Sean
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
