Re: [Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Tue, 02 Aug 2016 09:38:56 -0700 

1. For example, to list users:
ldapsearch -x -D cn='service-account,dc=example,dc=net' 
'(&(objectClass=person)(cn=*))'  -W

2. admin_token is not commented it has a hash value, so doing

curl -v -s -H "X-Auth-Token: <MY HASH>" http://192.168.0.2:5000/v3/users

< HTTP/1.1 401 Unauthorized

in the keystone logs
2016-08-02 16:26:56.559 5368 INFO keystone.common.wsgi 
[req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] GET 
http://192.168.0.2:5000/v3/users
2016-08-02 16:26:56.560 5368 WARNING keystone.common.controller 
[req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] RBAC: Bypassing 
authorization
2016-08-02 16:26:56.561 5368 WARNING keystone.common.utils 
[req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] Couldn't find the auth 
context.
2016-08-02 16:26:56.562 5368 WARNING keystone.common.wsgi 
[req-27e218af-921d-46dd-9432-e871a35d5908 - - - - -] Authorization failed. The 
request you have made requires authentication. from 192.168.0.2

I don’t see any ldap in syslog.

Sean


From: Kseniya Tychkova <ktychk...@mirantis.com>
Date: Tuesday 2 August 2016 at 16:46
To: "openstack@lists.openstack.org" <openstack@lists.openstack.org>, "Boran 
Sean, INI-INO-BX-IT" <sean.bo...@swisscom.com>
Subject: [Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean,
I would like to help you, but I need more information
1. could you please explain what means your phrase:
"On the command line with ldapsearch, users and groups can be listed (so the 
attributes configured should be ok?)"
2. please try to use curl to debug:
 - uncomment "admin_token = ADMIN" in your /etc/keystone/keystone.conf and 
restart keystone
 - curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/users
 - curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/groups
3. If something wrong go to keystone log, keystone logs ldap requests, so you 
can see them and verify them



Kind regards, Kseniya

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to