On 11/14/2014 02:08 PM, [email protected] wrote:
1. Authentication. This is done via a simple bind to the LDAP server
2. Get user data. This is done as an LDAP query to the LDAP server
as the system LDAP user, not as the end user.
3. Getting the roles for the user on the project. If you are
request a project scoped token, this would fail if the user had no
roles on the project.
Okay, I managed to get our Icehouse system authenticating via AD/LDAP
by going to git, fetching whatever the latest version of the core.py
of LDAP and throwing it over top of the one that we're running (which
is from yum repo from RDO?)
Now we're hitting a:
RESP BODY: {"error": {"message": "User OpenStack Admin is unauthorized
for tenant c559b2ddf24d4ebc820d91111111111", "code": 401, "title":
"Unauthorized"}}
Using the Service token, add a role (probably "Admin") for the user
"OpenStack Admin" on the project with id c559b2ddf24d4ebc820d91111111111
and it should authorize.
(note 111's to scrub data, not natural)
Which may be configuration issue on our side, or might be a result of
throwing the latest core.py from LDAP on top of older baseline.
Our keystone said it was 0.9.0 I believe.
I got the core.py from here:
https://github.com/openstack/keystone
(Is that Juno release code?)
The Icehouse system would bomb on the LDAP auth part after doing a
long sequence of:
ldap_get_values_len
ldap_next_attribute
where as the working Havana system would follow that up with a new
LDAP query (most likely going after groups or other attributes) where
as the non-working Icehouse I assume quits as password doesn't pass.
I'm guessing (but am not sure) that the repeating calls are it
comparing the password character by character or something? Not sure.
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
