Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

user is not in tenant via Microsoft Active Directory when using keystone user-get

Hi all,

I'd like to integrate keystone and Microsoft Active Directory. And I have follow the sample to create our own Active Directory for test as below. https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD

Here is keystone.conf:

[DEFAULT]

A "shared secret" between keystone and other openstack services

admin_token = admin

log_file = keystone.log

log_dir = /var/log/keystone log_config = /etc/keystone/logging.conf

[sql] connection = mysql://keystone:admin@10.109.37.203/keystone

[identity] driver = keystone.identity.backends.ldap.Identity

[catalog] driver = keystone.catalog.backends.sql.Catalog

[token] driver = keystone.token.backends.sql.Token

[policy] driver = keystone.policy.backends.rules.Policy

[ec2] driver = keystone.contrib.ec2.backends.sql.Ec2

[ssl]

[signing]

[ldap] url = ldap://10.109.37.118:389 user = cn=administrator,cn=Users,dc=npt,dc=sd1 password = password suffix = cn=npt,cn=sd1 use_dumb_member = True

user_tree_dn = cn=Users,dc=npt,dc=sd1 user_objectclass = top user_id_attribute = cn user_name_attribute = cn dumb_member = cn=administrator,ou=Users,dc=npt,dc=sd1

user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = True user_allow_update = False user_allow_delete = False

tenant_tree_dn = ou=Tenants,dc=npt,dc=sd1 tenant_objectclass = top tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description

tenant_enabled_attribute = extensionName tenant_attribute_ignore = tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True

role_tree_dn = ou=Roles,dc=npt,dc=sd1 role_objectclass = organizationalRole role_objectclass = top role_id_attribute = cn role_member_attribute = cn role_member_attribute = roleOccupant

role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True

[filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory

[filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

[filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

[filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

[filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

[filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

[filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

[filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

[filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory

[filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

[filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

[app:public_service] paste.app_factory = keystone.service:public_app_factory

[app:admin_service] paste.app_factory = keystone.service:admin_app_factory

[pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

[pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

[app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory

[pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service

[pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service

[composite:main] use = egg:Paste#urlmap /v2.0 = public_api / = public_version_api

[composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api / = admin_version_api

Here are the result by using keystone command user-list, tenant-list, role-list, user-get as following:

keystone --token=admin --endpoint=http://10.109.37.203:35357/v2.0 user-list +-----------------------------------------+-----------------------------------------+---------+-------+ | id | name | enabled | email | +-----------------------------------------+-----------------------------------------+---------+-------+ | Administrator | Administrator | | | | Allowed RODC Password Replication Group | Allowed RODC Password Replication Group | | | | Cert Publishers | Cert Publishers | | | | Denied RODC Password Replication Group | Denied RODC Password Replication Group | | | | DnsAdmins | DnsAdmins | | | | DnsUpdateProxy | DnsUpdateProxy | | | | Domain Admins | Domain Admins | | | | Domain Computers | Domain Computers | | | | Domain Controllers | Domain Controllers | | | | Domain Guests | Domain Guests | | | | Domain Users | Domain Users | | | | Enterprise Admins | Enterprise Admins | | | | Enterprise Read-only Domain Controllers | Enterprise Read-only Domain Controllers | | | | Group Policy Creator Owners | Group Policy Creator Owners | | | | Guest | Guest | | | | RAS and IAS Servers | RAS and IAS Servers | | | | Read-only Domain Controllers | Read-only Domain Controllers | | | | Schema Admins | Schema Admins | | | | aj_cheng. | aj_cheng. | | | | bill_chen | bill_chen | | | | danny kuo | danny kuo | | | | frank_wu | frank_wu | | | | glance | glance | | | | james_wang | james_wang | | | | keystone | keystone | | | | krbtgt | krbtgt | | | | nova | nova | | | +-----------------------------------------+-----------------------------------------+---------+-------+

keystone --token=admin --endpoint=http://10.109.37.203:35357/v2.0 role-list +------------+------------+ | id | name | +------------+------------+ | AdminRole | AdminRole | | MemberRole | MemberRole | | admin | admin | +------------+------------+

keystone --token=admin --endpoint=http://10.109.37.203:35357/v2.0 tenant-list +------------+------+---------+ | id | name | enabled | +------------+------+---------+ | DemoTenant | | True | +------------+------+---------+

keystone --token=admin --endpoint=http://10.109.37.203:35357/v2.0 user-get frank_wu +----------+----------+ | Property | Value | +----------+----------+ | id | frank_wu | | name | frank_wu | +----------+----------+

In Active Directory, user "frank_wu" is a member of MemberRole and also MemberRole is member of DemoTenant.

Now I can use keystone command to get user-list, tenant-list, role-list correctly.

When using keystone command user-get "frank_wu", it should show that tenant id "DemoTenant" in user detail.

However it just showed without any tenant id in user detail.

Does anybody have suggestion about this?

Thank you very much.