-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
After some tweaking I got LDAP working with keystone but there are still some issues/questions. I hope someone can shed some light. Here's my settings (using essex). keystone.conf: [ldap] url=ldap://ldap.myproject.org tree_dn=dc=myproject,dc=org user_tree_dn=ou=People,dc=myproject,dc=org user_objectclass=inetOrgPerson user_id_attribute=uid role_tree_dn=ou=Roles,dc=myproject,dc=org role_objectclass=organizationalRole role_id_attribute=cn role_member_attribute=roleOccupant tenant_tree_dn=ou=ostenants,dc=myproject,dc=org tenant_objectclass=groupOfNames tenant_id_attribute=cn tenant_member_attribute=member user=uid=ldapuser,ou=People,dc=myproject,dc=org password=secret backend_entities=['Tenant', 'User', 'UserRoleAssociation', 'Role'] suffix=dc=myproject,dc=org In LDAP, I created an user called admin: dn: uid=admin,ou=People,dc=myproject,dc=org ufn: admin, People, myproject.org uid: admin cn: admin objectClass: top objectClass: inetOrgPerson givenName: Admin sn: admin and added this user's info (OS_USERNAME, OS_TENANT_NAME and OS_PASSWORD) and OS_AUTH_URL="http://localhost:5000/v2.0/"; SERVICE_ENDPOINT="http://localhost:35357/v2.0"; and SERVICE_TOKEN in a rc file. I also created an OU call ostenants: dn: ou=ostenants,dc=myproject,dc=org ufn: ostenants, myproject.org ou: ostenants description: Tenants For OpenStack objectClass: organizationalUnit I have an OU called Roles but I am not using this yet for role assignment: dn: ou=Roles,dc=myproject,dc=org ufn: Roles, myproject.org ou: Roles description: Roles for OpenStack Users and Tenants objectClass: organizationalUnit Then I created an entry as groupOfNames called fg82. I added admin and myself to that group as a member. As I have "tenant_tree_dn=ou=ostenants,dc=myproject,dc=org" my goal is to get the group fg82 as a tenant in keystone. dn: cn=fg82,ou=ostenants,dc=myproject,dc=org ufn: fg82, ostenants, myproject.org objectClass: groupOfNames cn: fg82 member: uid=admin,ou=People,dc=myproject,dc=org member: uid=sharif,ou=People,dc=myproject,dc=org Now, as admin user, from the keystone server when I run this, I can see this tenant: # keystone tenant-list No handlers could be found for logger "keystoneclient.v2_0.client" +------+------+---------+ | id | name | enabled | +------+------+---------+ | fg82 | | True | +------+------+---------+ but # keystone user-list No handlers could be found for logger "keystoneclient.client" The action you have requested has not been implemented. (HTTP 501) I can now get details about all the users in LDAP not just these two which is really cool: # keystone user-get admin +----------+-------+ | Property | Value | +----------+-------+ | id | admin | | name | admin | +----------+-------+ # keystone user-get sharif +----------+--------+ | Property | Value | +----------+--------+ | id | sharif | | name | Islam | +----------+--------+ (Note: using sn here might create some problems with people with the same last name). But tenant-get only shows the tenant name. # keystone tenant-get fg82 +----------+-------+ | Property | Value | +----------+-------+ | id | fg82 | +----------+-------+ How can get a list of all the users who are in tenant fg82? I know the message says "The action you have requested has not been implemented" but as keystone can talk to LDAP, there should be a way to retrieve the list. - --sharif - -- Sharif Islam Senior Systems Analyst/Programmer FutureGrid (http://www.futuregrid.org) Pervasive Technology Institute, Indiana University Bloomington -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPvBSdAAoJEACffes9SivFzgQH/j6TSsf4nUq73PvBuT/wUY77 XqtehiQvZiiQNT1Xn3m3pmxI0rzL9b8MWD6S7WSh0gqTDpY1Z+Iyvas/8vHyADCy aome92I6EMLtyzcWbueBxL4OctEZqUPbgHx4G5OS2sbl3dajeOoID7Ro2kf6Hs8/ 8l+/GTftVjKtW+/1F2DuCzc2HY+dZTRl6Rtsg2WcjE6uXFoN77bKdhX4y1cg1Egz 8RuhvpRRFe22Hxyggnoz+MNVmV9FLOkijVzYB3RKG7D0L73hs/CU4TBPUG7jsJAs UNF3JG7QyrZ6IsbEIsjDpCYIG5/vI5k2Y1uzox/llo9mD+SLXu8+rg69DTS24ew= =q/6w -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
