On Mon, Aug 17, 2015 at 4:02 PM, Marc Pape marc.p...@gmail.com wrote:
the internal SQL . It would be great if the service users of OpenStack
are also stored in SQL, but they are also currently in the LDAP
deposited.
This is an use case for keystone domains
(https://wiki.openstack.org/wiki/Domains) but when we tested it there
were many things that didn't work properly.
After restarting the Keystone Service authentication via LDAP is
possible. The user get the message that no projects assigned to him.
Now there are wto problems. How can you log in as admin to assign
projects and keystone said that it couldn't find the service user like
ceilometer, neutron and so on.
Assuming you have at least one user you will use as admin, you need to
use the ADMIN_TOKEN and give to that user the admin role. Then, you
can use that user to assign roles to the other users.
For instance,
openstack --os-token whatever --os-endpoint http://localhost:35357
role add --project foo --user your-admin-user admin
At this point your-admin-user can use the standard environment
variables/cli opitons (OS_AUTH_URL, OS_USERNAME etc) to give the admin
role to the service accounts and standard roles to the users
I've followed the instructions on docs.openstack.org for Identity
management, but i didn't find any notices about that problems.
That's because in the standard documentation it is assumed that you
can create users, but you can't. There are however instructions on how
to use the token and the endpoint to create the first admin user. In
your case you don't create the user but just give him/her the admin
role.
.a.
--
antonio.s.mess...@gmail.com
antonio.mess...@uzh.ch +41 (0)44 635 42 22
S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
