Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

401 on authenticated keystone calls when using AD on Icehouse

I have been banging my head against the wall trying to figure this out. I have followed a couple examples precisely and cannot get AD to authentication properly. My keystone config and ldap dump are below. I really need someone better at AD backing keystone then I to take a look and point out what I am missing.

Note that when bypassing auth I can query successfully for roles, users and tenants. All list properly. Also in below ldap you will notice I only have admin user/tenant/role setup. I removed services users to simplify debugging.

command output:

# keystone  --debug --os-username admin --os-password somepass --os-tenant-name admin --os-auth-url "http://10.21.111.243:5000/v2.0/" role-listDEBUG:keystoneclient.session:REQ: curl -i -X POST http://10.21.111.243:5000/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "somepass"}}}'
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 10.21.111.243
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 401 114
DEBUG:keystoneclient.session:RESP: [401] {'date': 'Tue, 12 Aug 2014 20:07:49 GMT', 'content-type': 'application/json', 'content-length': '114', 'vary': 'X-Auth-Token', 'www-authenticate': 'Keystone uri="http://10.21.111.243:5000"'}
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

DEBUG:keystoneclient.session:Request returned failure status: 401
DEBUG:keystoneclient.v2_0.client:Authorization Failed.
The request you have made requires authentication. (HTTP 401)

Keystone Config:

[ldap]
query_scope = sub
url = ldap://WIN-5HTJQFST6T.corp.somedomain.com
user = cn=Administrator,cn=Users,dc=corp,dc=somedomain,dc=com
password = somepass
suffix = dc=corp,dc=somedomain,dc=com
use_dumb_member = True
dumb_member = cn=Administrator,cn=Users,dc=corp,dc=somedomain,dc=com

user_tree_dn = cn=Users,dc=corp,dc=somedomain,dc=com
user_objectclass = organizationalPerson
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True
user_default_project_id_attribute = member

tenant_tree_dn = ou=Tenants,ou=OpenStack,dc=corp,dc=somedomain,dc=com
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = ou=Roles,ou=OpenStack,dc=corp,dc=somedomain,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True

AD Dump:

# extended LDIF
#
# LDAPv3
# base <OU=Openstack,DC=corp,DC=somedomain,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# OpenStack, corp.somedomain.com
dn: OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: OpenStack
distinguishedName: OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140811163949.0Z
whenChanged: 20140811163949.0Z
uSNCreated: 24757
uSNChanged: 24757
name: OpenStack
objectGUID:: V/bbeiu4iE+d57PtpeCLQA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# Tenants, OpenStack, corp.somedomain.com
dn: OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: Tenants
distinguishedName: OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140811164022.0Z
whenChanged: 20140812175130.0Z
uSNCreated: 24758
uSNChanged: 32904
name: Tenants
objectGUID:: 1HYfFQKZDEyTvLQKMVnM2g==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 20140812175130.0Z
dSCorePropagationData: 16010101000000.0Z

# admin, Tenants, OpenStack, corp.somedomain.com
dn: OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: admin
distinguishedName: OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=c
 om
instanceType: 4
whenCreated: 20140812175129.0Z
whenChanged: 20140812180304.0Z
uSNCreated: 32902
uSNChanged: 32913
extensionName: TRUE
name: admin
objectGUID:: axSkdGP++0mprIm7ktj46Q==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 20140812175130.0Z
dSCorePropagationData: 20140812175130.0Z
dSCorePropagationData: 16010101000000.0Z

# admin, admin, Tenants, OpenStack, corp.somedomain.com
dn: CN=admin,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalRole
cn: admin
roleOccupant: CN=admin,CN=Users,DC=corp,DC=somedomain,DC=com
distinguishedName: CN=admin,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedo
 main,DC=com
instanceType: 4
whenCreated: 20140812175640.0Z
whenChanged: 20140812194116.0Z
uSNCreated: 32909
uSNChanged: 32940
showInAdvancedViewOnly: TRUE
name: admin
objectGUID:: RRz1gLKlCUSvQ3iBz1SBAg==
objectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# adminUsers, admin, Tenants, OpenStack, corp.somedomain.com
dn: CN=adminUsers,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=co
 m
objectClass: top
objectClass: groupOfNames
cn: adminUsers
member: CN=admin,CN=Users,DC=corp,DC=somedomain,DC=com
distinguishedName: CN=adminUsers,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=s
 omedomain,DC=com
instanceType: 4
whenCreated: 20140812180010.0Z
whenChanged: 20140812193808.0Z
uSNCreated: 32912
uSNChanged: 32936
showInAdvancedViewOnly: TRUE
name: adminUsers
objectGUID:: oJ9D8/cthUe4uyfVy3VUpQ==
objectCategory: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=corp,DC=somedo
 main,DC=com
dSCorePropagationData: 16010101000000.0Z

# services, Tenants, OpenStack, corp.somedomain.com
dn: OU=services,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: services
distinguishedName: OU=services,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,D
 C=com
instanceType: 4
whenCreated: 20140812175140.0Z
whenChanged: 20140812180321.0Z
uSNCreated: 32905
uSNChanged: 32915
extensionName: TRUE
name: services
objectGUID:: F+1ClnsqF02UuHwnBiDvZw==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 20140812175140.0Z
dSCorePropagationData: 16010101000000.0Z

# Roles, OpenStack, corp.somedomain.com
dn: OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: Roles
distinguishedName: OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140811164042.0Z
whenChanged: 20140811164042.0Z
uSNCreated: 24759
uSNChanged: 24759
name: Roles
objectGUID:: w2nhCwoAGUisEZfTY3y29Q==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# admin, Roles, OpenStack, corp.somedomain.com
dn: CN=admin,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalRole
cn: admin
roleOccupant: CN=admin,CN=Users,DC=corp,DC=somedomain,DC=com
distinguishedName: CN=admin,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140812175327.0Z
whenChanged: 20140812193705.0Z
uSNCreated: 32907
uSNChanged: 32933
showInAdvancedViewOnly: TRUE
name: admin
objectGUID:: /J/oUhUayUW2feT3Dp2B2g==
objectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# Member, Roles, OpenStack, corp.somedomain.com
dn: CN=Member,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalRole
cn: Member
distinguishedName: CN=Member,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=co
 m
instanceType: 4
whenCreated: 20140812175447.0Z
whenChanged: 20140812175447.0Z
uSNCreated: 32908
uSNChanged: 32908
showInAdvancedViewOnly: TRUE
name: Member
objectGUID:: Ou9fmZ3V0E633LpvD4g8cg==
objectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

401 on authenticated keystone calls when using AD on Icehouse

I have been banging my head against the wall trying to figure this out. I have followed a couple examples precisely and cannot get AD to authentication properly. My keystone config and ldap dump are below. I really need someone better at AD backing keystone then I to take a look and point out what I am missing.

Note that when bypassing auth I can query successfully for roles, users and tenants. All list properly. Also in However user-role-list causes error:

2014-08-12 16:44:14.144 10915 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:780
2014-08-12 16:44:14.145 10915 ERROR keystone.common.wsgi [-] 'utf8' codec can't decode byte 0x9d in position 13: invalid start byte
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     result = method(context, **params)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/controllers.py", line 204, in get_user_roles
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     user_id, tenant_id)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 180, in get_roles_for_user_and_project
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     user_role_list = _get_user_project_roles(user_id, project_ref)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 161, in _get_user_project_roles
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     tenant_id=project_ref['id'])
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     return f(*args, **kw)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/ldap.py", line 118, in _get_metadata
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     tenant_id)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/ldap.py", line 91, in _get_roles_for_just_user_and_project
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     user_dn = self.user._id_to_dn(user_id)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 473, in _id_to_dn
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     'objclass': self.object_class})
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 823, in search_s
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     py_result = convert_ldap_result(ldap_result)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 153, in convert_ldap_result
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     for kind, values in six.iteritems(attrs))))
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 153, in <genexpr>
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     for kind, values in six.iteritems(attrs))))
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 122, in ldap2py
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     return utf8_decode(val)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 80, in utf8_decode
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     return _utf8_decoder(value)[0]
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi   File "/usr/lib64/python2.6/encodings/utf_8.py", line 16, in decode
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi     return codecs.utf_8_decode(input, errors, True)
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi UnicodeDecodeError: 'utf8' codec can't decode byte 0x9d in position 13: invalid start byte
2014-08-12 16:44:14.145 10915 TRACE keystone.common.wsgi

It may be simply that the above error is causing a failed role lookup.. But what is causing the above error?

In below ldap you will notice I only have admin user/tenant/role setup. I removed services users to simplify debugging.

command output:

# keystone  --debug --os-username admin --os-password somepass --os-tenant-name admin --os-auth-url "http://10.21.111.243:5000/v2.0/" role-listDEBUG:keystoneclient.session:REQ: curl -i -X POST http://10.21.111.243:5000/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "somepass"}}}'
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 10.21.111.243
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 401 114
DEBUG:keystoneclient.session:RESP: [401] {'date': 'Tue, 12 Aug 2014 20:07:49 GMT', 'content-type': 'application/json', 'content-length': '114', 'vary': 'X-Auth-Token', 'www-authenticate': 'Keystone uri="http://10.21.111.243:5000"'}
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

DEBUG:keystoneclient.session:Request returned failure status: 401
DEBUG:keystoneclient.v2_0.client:Authorization Failed.
The request you have made requires authentication. (HTTP 401)

Keystone Config:

[ldap]
query_scope = sub
url = ldap://WIN-5HTJQFST6T.corp.somedomain.com
user = cn=Administrator,cn=Users,dc=corp,dc=somedomain,dc=com
password = somepass
suffix = dc=corp,dc=somedomain,dc=com
use_dumb_member = True
dumb_member = cn=Administrator,cn=Users,dc=corp,dc=somedomain,dc=com

user_tree_dn = cn=Users,dc=corp,dc=somedomain,dc=com
user_objectclass = organizationalPerson
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True
user_default_project_id_attribute = member

tenant_tree_dn = ou=Tenants,ou=OpenStack,dc=corp,dc=somedomain,dc=com
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = ou=Roles,ou=OpenStack,dc=corp,dc=somedomain,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True

AD Dump:

# extended LDIF
#
# LDAPv3
# base <OU=Openstack,DC=corp,DC=somedomain,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# OpenStack, corp.somedomain.com
dn: OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: OpenStack
distinguishedName: OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140811163949.0Z
whenChanged: 20140811163949.0Z
uSNCreated: 24757
uSNChanged: 24757
name: OpenStack
objectGUID:: V/bbeiu4iE+d57PtpeCLQA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# Tenants, OpenStack, corp.somedomain.com
dn: OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: Tenants
distinguishedName: OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140811164022.0Z
whenChanged: 20140812175130.0Z
uSNCreated: 24758
uSNChanged: 32904
name: Tenants
objectGUID:: 1HYfFQKZDEyTvLQKMVnM2g==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 20140812175130.0Z
dSCorePropagationData: 16010101000000.0Z

# admin, Tenants, OpenStack, corp.somedomain.com
dn: OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: admin
distinguishedName: OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=c
 om
instanceType: 4
whenCreated: 20140812175129.0Z
whenChanged: 20140812180304.0Z
uSNCreated: 32902
uSNChanged: 32913
extensionName: TRUE
name: admin
objectGUID:: axSkdGP++0mprIm7ktj46Q==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 20140812175130.0Z
dSCorePropagationData: 20140812175130.0Z
dSCorePropagationData: 16010101000000.0Z

# admin, admin, Tenants, OpenStack, corp.somedomain.com
dn: CN=admin,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalRole
cn: admin
roleOccupant: CN=admin,CN=Users,DC=corp,DC=somedomain,DC=com
distinguishedName: CN=admin,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedo
 main,DC=com
instanceType: 4
whenCreated: 20140812175640.0Z
whenChanged: 20140812194116.0Z
uSNCreated: 32909
uSNChanged: 32940
showInAdvancedViewOnly: TRUE
name: admin
objectGUID:: RRz1gLKlCUSvQ3iBz1SBAg==
objectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# adminUsers, admin, Tenants, OpenStack, corp.somedomain.com
dn: CN=adminUsers,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=co
 m
objectClass: top
objectClass: groupOfNames
cn: adminUsers
member: CN=admin,CN=Users,DC=corp,DC=somedomain,DC=com
distinguishedName: CN=adminUsers,OU=admin,OU=Tenants,OU=OpenStack,DC=corp,DC=s
 omedomain,DC=com
instanceType: 4
whenCreated: 20140812180010.0Z
whenChanged: 20140812193808.0Z
uSNCreated: 32912
uSNChanged: 32936
showInAdvancedViewOnly: TRUE
name: adminUsers
objectGUID:: oJ9D8/cthUe4uyfVy3VUpQ==
objectCategory: CN=Group-Of-Names,CN=Schema,CN=Configuration,DC=corp,DC=somedo
 main,DC=com
dSCorePropagationData: 16010101000000.0Z

# services, Tenants, OpenStack, corp.somedomain.com
dn: OU=services,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: services
distinguishedName: OU=services,OU=Tenants,OU=OpenStack,DC=corp,DC=somedomain,D
 C=com
instanceType: 4
whenCreated: 20140812175140.0Z
whenChanged: 20140812180321.0Z
uSNCreated: 32905
uSNChanged: 32915
extensionName: TRUE
name: services
objectGUID:: F+1ClnsqF02UuHwnBiDvZw==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 20140812175140.0Z
dSCorePropagationData: 16010101000000.0Z

# Roles, OpenStack, corp.somedomain.com
dn: OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalUnit
ou: Roles
distinguishedName: OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140811164042.0Z
whenChanged: 20140811164042.0Z
uSNCreated: 24759
uSNChanged: 24759
name: Roles
objectGUID:: w2nhCwoAGUisEZfTY3y29Q==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# admin, Roles, OpenStack, corp.somedomain.com
dn: CN=admin,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalRole
cn: admin
roleOccupant: CN=admin,CN=Users,DC=corp,DC=somedomain,DC=com
distinguishedName: CN=admin,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
instanceType: 4
whenCreated: 20140812175327.0Z
whenChanged: 20140812193705.0Z
uSNCreated: 32907
uSNChanged: 32933
showInAdvancedViewOnly: TRUE
name: admin
objectGUID:: /J/oUhUayUW2feT3Dp2B2g==
objectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# Member, Roles, OpenStack, corp.somedomain.com
dn: CN=Member,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=com
objectClass: top
objectClass: organizationalRole
cn: Member
distinguishedName: CN=Member,OU=Roles,OU=OpenStack,DC=corp,DC=somedomain,DC=co
 m
instanceType: 4
whenCreated: 20140812175447.0Z
whenChanged: 20140812175447.0Z
uSNCreated: 32908
uSNChanged: 32908
showInAdvancedViewOnly: TRUE
name: Member
objectGUID:: Ou9fmZ3V0E633LpvD4g8cg==
objectCategory: CN=Organizational-Role,CN=Schema,CN=Configuration,DC=corp,DC=s
 omedomain,DC=com
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9