Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to create users with keystone and Active Directory backend?

None of the examples and configuration guides for setting up Keystone with Active Directory work for the "Create User" operation. The failures, at least in my case (Win 2008 R2 AD Server), seem to stem from an incorrect combination of user_objectclass and the additional fields that keystone attempts to set when creating an LDAP user.


user_tree_dn = cn=Users,dc=example,dc=com
user_objectclass = User
user_filter = (&(objectClass=person)(!(objectClass=computer)))
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_enabled_emulation = false
user_attribute_ignore = default_project_id,password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True

Problem #1: user_objectclass - the user_objectclass MUST be "User" and NOT "organizationalPerson" or "person", otherwise AD will reject the creation request if it includes the "sAMAccountName" field. - AD Error : UNWILLING_TO_PERFORM

Problem #2: user_enabled_attribute - AD will not let you set the "userAccountControl" field in an LDAP create User request, Error: UNWILLING_TO_PERFORM

Has anyone found a combination of keystone.conf settings and possibly AD schema changes that will enable the "create-user" operation to succeed?