Re: [Openstack] Bug when add compute node

[George Shuklin]

You've got broken openvswitch. That usually happens if kernel module
doesn't match userspace version. Check if you got proper kernel version, or
reinstall ovs, or roll back to previous version.
 On Apr 19, 2014 6:07 AM, "le cuon"  wrote:

> Hi All,
>
> I am having one Server run Openstack. I setup all node the same this
> server, when I add one compute node, after It is have bug:
>
> 2014-04-18 16:30:01.582 2737 ERROR neutron.agent.linux.ovs_lib [-] Unable
> to execute ['ovs-ofctl', 'add-flow', 'br-tun',
> 'hard_timeout=0,idle_timeout=0,priority=1,in_port=-1,actions=resubmit(,2)'].
> Exception:
> Command: ['sudo', '/usr/bin/neutron-rootwrap',
> '/etc/neutron/rootwrap.conf', 'ovs-ofctl', 'add-flow', 'br-tun',
> 'hard_timeout=0,idle_timeout=0,priority=1,in_port=-1,actions=resubmit(,2)']
> Exit code: 1
> Stdout: ''
> Stderr: 'ovs-ofctl: -1: negative values not supported for in_port\n'
>
> I do not known how fix it.
> Please help me
> Thanks
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Cinder-volume service not registering in database

[Scott Devoid]

Hi all,

I am having trouble deploying a second cinder-volume service on our Havana
system (2013.2.3).
$ cinder service-list
+--+-+--+-+---++
|  Binary  |   Host  | Zone |  Status | State | Updated_at
|
+--+-+--+-+---++
| cinder-scheduler |  u10-p  | nova | enabled |  down |
2014-05-02T23:33:17.00 |
| cinder-scheduler |  u11-p  | nova | enabled |   up  |
2014-05-02T23:55:12.00 |
|  cinder-volume   | v1-p | nova | enabled |   up  |
2014-05-02T23:55:19.00 |
+--+-+--+-+---++

New volume server is on v2-p. After configuring, I start up cinder-volume
and get this output from the logs http://paste.openstack.org/show/78467/

On the AMQP server "internal-rabbit" I see that the service creates some
queues:
$ rabbitmqctl list_queues -p /havana_h1 | grep cinder
cinder-scheduler:u11-p  0
cinder-volume_fanout_9a146f9bf00a6b2898f3bd3abbc520f6   0
cinder-volume:v2-p  0
cinder-scheduler:u10-p  0
cinder-scheduler0
cinder-volume:v1-p   0
cinder-scheduler_fanout_ff6e60da1fe54ebc99a9c0af3f5e977a0

However, the service does not appear in the database "services" table. I've
tested my MySQL and Keystone credentials and I am able to query both from
v2-p.

I am not sure how to debug it from here, I've turned SQL's
"connection_debug=100" and turned on debugging and verbose logging. No
errors or messages that indicate the problem. :-/

Thanks for the help!
~ Scott
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Horizon stats wrong?

[Erich Weiler]

Hi Folks,

I'm noticing this odd inconsistency in Horizon, when logged in as admin.  Under 
the "Hypervisor Summary" tab, it tends to show that resources are being used 
when in fact they are not.  Like, it will say 2 instances are on a node when 
there are in fact none.  

If I click on the node itself, it shows me the correct stats.

Anyone seen this before?  Or know where the "Hypervisor Summary" information is 
coming from?

This is icehouse release.

Thanks for any hints!

-erich



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] [Marconi] Guidelines for deployment

[João Faria]

Hello,

I have searched a bit on the mailing list and o the web at large but I
haven't really found what I'm looking for. Does anyone have experience with
deploying Marconi on production environments, on top of OpenStack resources
(ie. Nova instances, possibly deployed using Heat templates)?
What I have been trying to do is to come up with a template that will
deploy MongoDB replica-sets and Marconi webservers behind a load-balancer,
while automating scaling under load as well as recovery steps in case of
failure. I have looked into HARestarter, AutoScaling and such, but haven't
really found a way to make it all work out.
Thank you for any info you may have!

/João
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] question about neutron and floating IP with vlan tagging

[Francesco Allertsen]

Hello everyone,

I set up my first OpenStack infrastructure with packstack (answer file
attached), and after some configuration testing everything was working
great, with 3 compute nodes.

After that I needed to change the network configuration of both the
internal and external network cards using VLAN tagging (as shown in the
attached ifcfg-eth0, ifcfg-br-ex and ifcfg-br-ex.5) because we had this
configuration previously on the switch.

Once changed the configuration, I changed the answer file accordingly,
and the network within the instances works great (ping, ssh etc), but
when I assign a public floating IP to one of the instance it was working
previously, but is not working anymore now.  I tried many different
configurations, but couldn't manage to find the right one, so I decided
to ask here for help.

Attached you can find my latest answer file for packstack, the ifcfg
file for eth0 and br-ex, and my ifconfig result. My public IP has been
obfuscated, but that should not be the problem.

Hope you can help me figure out this networking problem.  If you need
more logging or informations please just let me know.

Thanks,
Francesco
[general]

# Path to a Public key to install on servers. If a usable key has not
# been installed on the remote servers the user will be prompted for a
# password and this key will be installed so the password will not be
# required again
CONFIG_SSH_KEY=

# Set to 'y' if you would like Packstack to install MySQL
CONFIG_MYSQL_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack Image
# Service (Glance)
CONFIG_GLANCE_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack Block
# Storage (Cinder)
CONFIG_CINDER_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack Compute
# (Nova)
CONFIG_NOVA_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack
# Networking (Neutron)
CONFIG_NEUTRON_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack
# Dashboard (Horizon)
CONFIG_HORIZON_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack Object
# Storage (Swift)
CONFIG_SWIFT_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack
# Metering (Ceilometer)
CONFIG_CEILOMETER_INSTALL=y

# Set to 'y' if you would like Packstack to install OpenStack
# Orchestration (Heat)
CONFIG_HEAT_INSTALL=n

# Set to 'y' if you would like Packstack to install the OpenStack
# Client packages. An admin "rc" file will also be installed
CONFIG_CLIENT_INSTALL=y

# Comma separated list of NTP servers. Leave plain if Packstack
# should not install ntpd on instances.
CONFIG_NTP_SERVERS=pool.ntp.org

# Set to 'y' if you would like Packstack to install Nagios to monitor
# OpenStack hosts
CONFIG_NAGIOS_INSTALL=y

# Comma separated list of servers to be excluded from installation in
# case you are running Packstack the second time with the same answer
# file and don't want Packstack to touch these servers. Leave plain if
# you don't need to exclude any server.
EXCLUDE_SERVERS=

# Set to 'y' if you want to run OpenStack services in debug mode.
# Otherwise set to 'n'.
CONFIG_DEBUG_MODE=n

# Set to 'y' if you want to use VMware vCenter as hypervisor and
# storageOtherwise set to 'n'.
CONFIG_VMWARE_BACKEND=n

# The IP address of the server on which to install MySQL
CONFIG_MYSQL_HOST=192.168.122.1

# Username for the MySQL admin user
CONFIG_MYSQL_USER=root

# Password for the MySQL admin user
CONFIG_MYSQL_PW=28ce1b09d4674a0a

# The IP address of the server on which to install the QPID service
CONFIG_QPID_HOST=192.168.122.1

# Enable SSL for the QPID service
CONFIG_QPID_ENABLE_SSL=n

# Enable Authentication for the QPID service
CONFIG_QPID_ENABLE_AUTH=n

# The password for the NSS certificate database of the QPID service
CONFIG_QPID_NSS_CERTDB_PW=a7880057878a4419a97bd1b2172523fd

# The port in which the QPID service listens to SSL connections
CONFIG_QPID_SSL_PORT=5671

# The filename of the certificate that the QPID service is going to
# use
CONFIG_QPID_SSL_CERT_FILE=/etc/pki/tls/certs/qpid_selfcert.pem

# The filename of the private key that the QPID service is going to
# use
CONFIG_QPID_SSL_KEY_FILE=/etc/pki/tls/private/qpid_selfkey.pem

# Auto Generates self signed SSL certificate and key
CONFIG_QPID_SSL_SELF_SIGNED=y

# User for qpid authentication
CONFIG_QPID_AUTH_USER=qpid_user

# Password for user authentication
CONFIG_QPID_AUTH_PASSWORD=8900ddd5687c4ec8

# The IP address of the server on which to install Keystone
CONFIG_KEYSTONE_HOST=192.168.122.1

# The password to use for the Keystone to access DB
CONFIG_KEYSTONE_DB_PW=041c5050454547e7

# The token to use for the Keystone service api
CONFIG_KEYSTONE_ADMIN_TOKEN=77a75464d0bd465990deb0e5eb05264c

# The password to use for the Keystone admin user
CONFIG_KEYSTONE_ADMIN_PW=303b874987e6454a

# The password to use for the Keystone demo user
CONFIG_KEYSTONE_DEMO_PW=79183c7155864604

# Kestone token format. Use either UUID or PKI
CONFIG_KEYSTONE_TOKEN_F

[Openstack] Glance - and the use of the "project_id:%(project_id)" rule

[Michael Hearn]

Having played with the policies and rules within glance's policy.json file
I have not had any success using the rule, "project_id:%(project_id)" to
restrict api usage.
Without changing user/role/tenant  I have had success using
project_id:%(project_id)" with cinder.
I cannot find anything to suggest glance's policy engine cannot parse the
rule but would like confirmation.
Can anyone verify this?.

This is using icehouse, glance 0.12.0

~Mike
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Keystone w/ LDAP identity

[Jasper Capel]

No, we didn’t do anything with custom drivers. We implemented the pipeline 
solution referred to in this document:

http://docs.openstack.org/developer/keystone/external-auth.html

Jasper

On 02 May 2014, at 15:00, Michael Hearn  wrote:

> Jasper
> Are you alluding to the hybrid drivers as discussed & avail via 
> http://www.mattfischer.com/blog/?tag=openstack-2
> 
> ~Mike.
> 
> On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 
>  wrote:
> I’ve been playing with using LDAP authentication (identity) and SQL 
> authorization (assignment) within Keystone in the current devstack release 
> running in a single VM.
> 
> The problem with this setup, as I understand it, is the need to have LDAP 
> entries for each service user (i.e. nova, glance, etc.).  In our environment, 
> this isn’t possible as our corporate LDAP directory is solely for employee 
> records.  While I could work around this issue by running each service under 
> a known LDAP employee record - this seems rather a kludge to me.
> 
> My question is, and admittedly I’m not well versed in directory federation, 
> is this an issue that could be resolved once directory federation is stable 
> in the next Openstack release? Where, for instance, all of the openstack 
> service accounts could remain in a separate directory service controlled 
> solely by the cloud owner/admin, while user’s could then be authenticated via 
> the corporate employee LDAP database?
> 
> We’d love to use LDAP to authenticate cloud user’s, but with the need to also 
> authenticate openstack services against the same LDAP backend makes the use 
> of LDAP unviable in our environment.
> 
> This has probably been discussed previously, but any insight would be 
> helpful.  
> 
> Thanks and regards,
> Ross
> --
> Ross Lillie
> Distinguished Member of Technical Staff
> Motorola Solutions, Inc.
> 
> motorolasolutions.com
> O: +1.847.576.0012
> M: +1.847.980.2241
> E: ross.lil...@motorolasolutions.com
> 
> 
> 
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Keystone w/ LDAP identity

[Adam Young]

So, here is the direction we are going:

Federation allows us to remove the need to have a Backend LDAP driver at 
all.  Instead, we at Red Hat are planning on build solutions around 
using mod_identity_lookup and sssd.  The Keystone server machine will be 
configured with  LDAP PAM and nsswitch modules that allow the basic 
native library calls to work for things like getpwnam etc.  The end 
effect will be that there are no users "in" the Keystone backend, merely 
the mappings from the environment variables REMOTE_USER and 
REMOTE_USER_GROUPS to userid/username and groupid.  I'm still in the 
proof of concept stage with this, but should have a workable solution 
midway through the Juno design cycle.


There are a couple features we need to make this a viable solution to 
your problem:


1.  The ability to scope the Federated mapping to the appropriate 
domain.  This requires a  degree of "higher power" interaction so that 
domain admins cannot steal eacho others data, especially userids.


2. The ability to pass groups directly through to the keystone server 
from attributes.  THe current implementation requires an explicit 
mapping from REMOTE_USER_GROUPS to a group as defined in the Identity 
backend.


Long term, I would expect to have the service users specified in 
Keystone in their own domain that is explicitly in Keystone, and all 
other users specified via the Federated APIs, and ephemeral to Keystone 
itself.







On 05/01/2014 07:48 PM, Adam Young wrote:

On 05/01/2014 06:17 PM, Lillie Ross-CDSR11 wrote:
I've been playing with using LDAP authentication (identity) and SQL 
authorization (assignment) within Keystone in the current devstack 
release running in a single VM.


The problem with this setup, as I understand it, is the need to have 
LDAP entries for each service user (i.e. nova, glance, etc.).  In our 
environment, this isn't possible as our corporate LDAP directory is 
solely for employee records.  While I could work around this issue by 
running each service under a known LDAP employee record - this seems 
rather a kludge to me.


My question is, and admittedly I'm not well versed in directory 
federation, is this an issue that could be resolved once directory 
federation is stable in the next Openstack release? Where, for 
instance, all of the openstack service accounts could remain in a 
separate directory service controlled solely by the cloud 
owner/admin, while user's could then be authenticated via the 
corporate employee LDAP database?


We'd love to use LDAP to authenticate cloud user's, but with the need 
to also authenticate openstack services against the same LDAP backend 
makes the use of LDAP unviable in our environment.
We have no solution for that under Icehouse.  This topic is one of the 
high priorities for the Keytone team at the Icehouse summit.





This has probably been discussed previously, but any insight would be 
helpful.


Thanks and regards,
Ross
--
Ross Lillie
Distinguished Member of Technical Staff
Motorola Solutions, Inc.

motorolasolutions.com 
O: +1.847.576.0012
M: +1.847.980.2241
E: ross.lil...@motorolasolutions.com 







___
Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to :openstack@lists.openstack.org
Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Keystone w/ LDAP identity

[Michael Hearn]

Jasper
Are you alluding to the hybrid drivers as discussed & avail via
http://www.mattfischer.com/blog/?tag=openstack-2

~Mike.

On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 <
ross.lil...@motorolasolutions.com> wrote:

>  I’ve been playing with using LDAP authentication (identity) and SQL
> authorization (assignment) within Keystone in the current devstack release
> running in a single VM.
>
>  The problem with this setup, as I understand it, is the need to have
> LDAP entries for each service user (i.e. nova, glance, etc.).  In our
> environment, this isn’t possible as our corporate LDAP directory is solely
> for employee records.  While I could work around this issue by running each
> service under a known LDAP employee record - this seems rather a kludge to
> me.
>
>  My question is, and admittedly I’m not well versed in directory
> federation, is this an issue that could be resolved once directory
> federation is stable in the next Openstack release? Where, for instance,
> all of the openstack service accounts could remain in a separate directory
> service controlled solely by the cloud owner/admin, while user’s could then
> be authenticated via the corporate employee LDAP database?
>
>  We’d love to use LDAP to authenticate cloud user’s, but with the need to
> also authenticate openstack services against the same LDAP backend makes
> the use of LDAP unviable in our environment.
>
>  This has probably been discussed previously, but any insight would be
> helpful.
>
>  Thanks and regards,
> Ross
> --
>  Ross Lillie
> Distinguished Member of Technical Staff
> Motorola Solutions, Inc.
>
>  motorolasolutions.com
>  O: +1.847.576.0012
> M: +1.847.980.2241
>  E: ross.lil...@motorolasolutions.com
>
>
>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Database instance in error status

[Ali Nazemian]

Hi,
It was not there too ...


On Mon, Apr 28, 2014 at 12:58 PM, Yitao Jiang  wrote:

> Sorry, it's here /opt/stack/logs/screen-n-cpu.log
>
>
> ---
> Thanks,
> Yitao
> jiangyt.github.io
>
>
> On Mon, Apr 28, 2014 at 2:13 PM, Ali Nazemian wrote:
>
>> Unfortunately I did not find any nova-compute.log in /opt/stack/data/nova
>> .For you question: sorry I dont know how to do that.
>>
>>
>> On Mon, Apr 28, 2014 at 5:36 AM, Yitao Jiang wrote:
>>
>>> AFAIK,logs are default located at /opt/stack/data/{project} .One more
>>> question, do you know how can i install trove service using devstack after
>>> i runned stach.sh without trove service enabled
>>> On Apr 27, 2014 11:37 PM, "Ali Nazemian"  wrote:
>>>
 Hi,

 I installed openstack trove using the automated script (devstack).
 After it is installed successfully and creating some user and projects, I
 manged to create a database and database instance. unfortunately every
 database instance that I am going to build (via command line or horizon
 dashboard) system gave me error status. Therefore when i tried to create
 database inside each of created database instance I stock with database
 instance is not ready.
 I did some google and some people mentioned that I should check
 nova-compute.log, but unfortunately I did not find this log file under
 /var/log/nova! Would you please guide me?

 Best regards.

 --
 A.Nazemian

 ___
 Mailing list:
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
 Post to : openstack@lists.openstack.org
 Unsubscribe :
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


>>
>>
>> --
>> A.Nazemian
>>
>
>


-- 
A.Nazemian
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Status of Limited live upgrades? (Icehouse controller, Compute havana)

[Robert van Leeuwen]

Hi,

I am testing a split upgrade scenario (controller = Icehouse, Compute=havana)
There seems to be quite a bit of functionality missing / not working.

I tested just a few things and already noticed these things do not work:
* Terminating instances ( https://bugs.launchpad.net/nova/+bug/1315288 )
* Attaching / detaching cinder volumes ( 
https://bugs.launchpad.net/nova/+bug/1315354 )

Are these limitations to be expected?
If so, is there any documentation on functionality that is should or should not 
work?

Thx,
Robert van Leeuwen
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Trove] Integrating trove and phpmyadmin

[Ali Nazemian]

No, I did not succeed.


On Tue, Apr 29, 2014 at 7:19 AM, Hopper, Justin wrote:

> Reposting with [Trove] DesignationŠ
>
>
>
> Justin Hopper
> Software Engineer - DBaaS
> irc: juice | gpg: EA238CF3 | twt: @justinhopper
>
>
>
>
> On 4/28/14, 19:30, "Cotton Tenney"  wrote:
>
> >Have you had any luck on this?  This is something I'd like to do.
> >
> >Sent from my iPad
> >
> >> On Apr 26, 2014, at 1:59 PM, Ali Nazemian 
> wrote:
> >>
> >> Hi,
> >> I am going to integrate phpmyadmin with my trove. I was wondering how I
> >>can integrate phpmyadmin (on client side) and trove (on server side). I
> >>am able to connect to phpmyadmin panel via root user but it is not
> >>possible with the users that I created via horizon dashboard. Would you
> >>please help me through this?
> >> Best regards.
> >>
> >> --
> >> A.Nazemian
> >> ___
> >> Mailing list:
> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> Post to : openstack@lists.openstack.org
> >> Unsubscribe :
> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> >___
> >Mailing list:
> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >Post to : openstack@lists.openstack.org
> >Unsubscribe :
> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>



-- 
A.Nazemian
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Keystone w/ LDAP identity

[Jasper Capel]

We ran into a similar issues, wanting to authenticate our corporate users 
against the company AD, but keeping our services accounts separate.

We ended up writing a little piece of Keystone middleware that sits on the 
Keystone request pipeline. It will attempt to authenticate the user against our 
corporate authentication API. If that succeeds, it will set the REMOTE_USER 
variable in the request environment and Keystone will obey it. If it is not 
set, Keystone will simply authenticate against the built-in database. We’ve 
been using this method for more than a year and it works well, but I don’t know 
if this is still the best solution today.

It’s a bit specific to our environment, but I can provide you with some example 
code if that would help.

Regards,

Jasper Capel

On 02 May 2014, at 00:17, Lillie Ross-CDSR11 
 wrote:

> I’ve been playing with using LDAP authentication (identity) and SQL 
> authorization (assignment) within Keystone in the current devstack release 
> running in a single VM.
> 
> The problem with this setup, as I understand it, is the need to have LDAP 
> entries for each service user (i.e. nova, glance, etc.).  In our environment, 
> this isn’t possible as our corporate LDAP directory is solely for employee 
> records.  While I could work around this issue by running each service under 
> a known LDAP employee record - this seems rather a kludge to me.
> 
> My question is, and admittedly I’m not well versed in directory federation, 
> is this an issue that could be resolved once directory federation is stable 
> in the next Openstack release? Where, for instance, all of the openstack 
> service accounts could remain in a separate directory service controlled 
> solely by the cloud owner/admin, while user’s could then be authenticated via 
> the corporate employee LDAP database?
> 
> We’d love to use LDAP to authenticate cloud user’s, but with the need to also 
> authenticate openstack services against the same LDAP backend makes the use 
> of LDAP unviable in our environment.
> 
> This has probably been discussed previously, but any insight would be 
> helpful.  
> 
> Thanks and regards,
> Ross
> --
> Ross Lillie
> Distinguished Member of Technical Staff
> Motorola Solutions, Inc.
> 
> motorolasolutions.com
> O: +1.847.576.0012
> M: +1.847.980.2241
> E: ross.lil...@motorolasolutions.com
> 
> 
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack