Ask Your Question
0

user is not in tenant via Microsoft Active Directory when using keystone user-get

asked 2013-04-12 08:57:35 -0500

j2d0024 gravatar image

Hi all,

I'd like to integrate keystone and Microsoft Active Directory. And I have follow the sample to create our own Active Directory for test as below. https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD (https://wiki.openstack.org/wiki/Howto...)

Here is keystone.conf:

[DEFAULT]

A "shared secret" between keystone and other openstack services

admin_token = admin

log_file = keystone.log

log_dir = /var/log/keystone log_config = /etc/keystone/logging.conf

[sql] connection = mysql://keystone:admin@10.109.37.203/keystone

[identity] driver = keystone.identity.backends.ldap.Identity

[catalog] driver = keystone.catalog.backends.sql.Catalog

[token] driver = keystone.token.backends.sql.Token

[policy] driver = keystone.policy.backends.rules.Policy

[ec2] driver = keystone.contrib.ec2.backends.sql.Ec2

[ssl]

[signing]

[ldap] url = ldap://10.109.37.118:389 user = cn=administrator,cn=Users,dc=npt,dc=sd1 password = password suffix = cn=npt,cn=sd1 use_dumb_member = True

user_tree_dn = cn=Users,dc=npt,dc=sd1 user_objectclass = top user_id_attribute = cn user_name_attribute = cn dumb_member = cn=administrator,ou=Users,dc=npt,dc=sd1

user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = True user_allow_update = False user_allow_delete = False

tenant_tree_dn = ou=Tenants,dc=npt,dc=sd1 tenant_objectclass = top tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description

tenant_enabled_attribute = extensionName tenant_attribute_ignore = tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True

role_tree_dn = ou=Roles,dc=npt,dc=sd1 role_objectclass = organizationalRole role_objectclass = top role_id_attribute = cn role_member_attribute = cn role_member_attribute = roleOccupant

role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True

[filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory

[filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

[filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

[filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

[filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

[filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

[filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

[filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

[filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory

[filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

[filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

[app:public_service] paste.app_factory = keystone.service:public_app_factory

[app:admin_service] paste.app_factory = keystone.service:admin_app_factory

[pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

[pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

[app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory

[pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service

[pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service

[composite:main] use = egg:Paste#urlmap /v2.0 = public_api / = public_version_api

[composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api / = admin_version_api

Here are the result by using keystone command user-list, tenant-list, role-list, user-get as following:

keystone --token=admin --endpoint=http://10.109.37.203:35357/v2.0 user-list +-----------------------------------------+-----------------------------------------+---------+-------+ | id | name | enabled | email | +-----------------------------------------+-----------------------------------------+---------+-------+ | Administrator | Administrator | | | | Allowed RODC Password Replication Group | Allowed RODC Password Replication Group | | | | Cert Publishers | Cert Publishers | | | | Denied RODC Password Replication Group | Denied RODC Password Replication Group | | | | DnsAdmins | DnsAdmins | | | | DnsUpdateProxy | DnsUpdateProxy | | | | Domain Admins | Domain Admins | | | | Domain Computers | Domain Computers | | | | Domain Controllers | Domain Controllers | | | | Domain Guests | Domain Guests ... (more)

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2013-04-15 13:05:55 -0500

Default tenant_id is not set to any attribute in this configuration and you are ignoring this value in

user_attribute_ignore = password,tenant_id,tenants

We can create a bug for this specific behavior (missing attribute mapping) but then you need to select the attribute you want to map in AD to store this information via configuration

edit flag offensive delete link more
0

answered 2013-04-16 06:21:36 -0500

j2d0024 gravatar image

Thanks Jose Castro Leon, that solved my question.

edit flag offensive delete link more
0

answered 2013-04-16 06:24:53 -0500

j2d0024 gravatar image

Thank you for your great help.

I re-fill the fields to map attributes in the active directory.

and also delete the line:

user_attribute_ignore = password,tenant_id,tenants

At last I can log in horizon by my own account of active directory.

Thank you very much!

edit flag offensive delete link more
0

answered 2013-04-22 12:23:19 -0500

Today, I just setup Keystone Grizzly and want to migration my Folsom implementation to Grizzly version. My backend Identity service is OpenLDAP(stores User, Tenant, Role information). After configuring the keystone.conf file for Grizzly and issue the command get -> http://146.89.7.107:35357/v3/users , I am returned back with a list of user with info ->

######## { "users": [ { "password": "secrete", "id": "nsoadmin-cn-1", "links": { "self": "http://localhost:5000/v3/users/nsoadmin-cn-1" }, "name": "nsoadmin-1" }, { "password": "secrete", "id": "nsoadmin-cn-2", "links": { "self": "http://localhost:5000/v3/users/nsoadmin-cn-2" }, "name": "nsoadmin-2" }, .... ########

However, from the official doc, it should be returned with information such like ->

######## [ { "default_project_id": "--default-project-id--", "description": "a user", "domain_id": "1789d1", "email": "...", "enabled": true, "id": "--user-id--", "links": { "self": "http://identity:35357/v3/users/--user-id--" }, "name": "admin" }, { "default_project_id": "--default-project-id--", "description": "another user", "domain_id": "1789d1", "email": "...", "enabled": true, "id": "--user-id--", "links": { "self": "http://identity:35357/v3/users/--user-id--" }, "name": "someone" } ] ########

,which is with more information such like ,domain and project.

Also, when I issue the command wanting to get a scoped token -> ######## curl -X POST -d '{"auth":{"tenantName": "admin-tenant", "passwordCredentials":{"username": "nsoadmin-1", "password": "secrete"}}}' -H "Content-type: application/json" http://146.89.7.95:5000/v2.0/tokens | python -m json.tool ########

I faced with the error message-> "message": "An unexpected error prevented the server from fulfilling your request. 'domain_id'", "title": "Internal Server Error"

Can anyone give me an insight here?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-04-12 08:57:35 -0500

Seen: 251 times

Last updated: Apr 22 '13