openstack team mailing list archive

Thread
Date
keystone user-list (The action you have requested has not been implemented)

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Sharif Islam <islamsh@xxxxxxxxxxx>
Date: Tue, 22 May 2012 18:35:09 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


After some tweaking I got LDAP working with keystone but there are
still some issues/questions. I hope someone can shed some light.


Here's my settings (using essex).

keystone.conf:

[ldap]
url=ldap://ldap.myproject.org
tree_dn=dc=myproject,dc=org
user_tree_dn=ou=People,dc=myproject,dc=org
user_objectclass=inetOrgPerson
user_id_attribute=uid
role_tree_dn=ou=Roles,dc=myproject,dc=org
role_objectclass=organizationalRole
role_id_attribute=cn
role_member_attribute=roleOccupant
tenant_tree_dn=ou=ostenants,dc=myproject,dc=org
tenant_objectclass=groupOfNames
tenant_id_attribute=cn
tenant_member_attribute=member
user=uid=ldapuser,ou=People,dc=myproject,dc=org
password=secret
backend_entities=['Tenant', 'User', 'UserRoleAssociation', 'Role']
suffix=dc=myproject,dc=org


In LDAP, I created an user called admin:

dn: uid=admin,ou=People,dc=myproject,dc=org
ufn: admin, People, myproject.org
uid: admin
cn: admin
objectClass: top
objectClass: inetOrgPerson
givenName: Admin
sn: admin

and added this user's info (OS_USERNAME, OS_TENANT_NAME and
OS_PASSWORD) and OS_AUTH_URL="http://localhost:5000/v2.0/";
SERVICE_ENDPOINT="http://localhost:35357/v2.0"; and SERVICE_TOKEN in a
rc file.

I also created an OU call ostenants:

dn: ou=ostenants,dc=myproject,dc=org
ufn: ostenants, myproject.org
ou: ostenants
description: Tenants For OpenStack
objectClass: organizationalUnit


I have an OU called Roles but I am not using this yet for role
assignment:

dn: ou=Roles,dc=myproject,dc=org
ufn: Roles, myproject.org
ou: Roles
description: Roles for OpenStack Users and Tenants
objectClass: organizationalUnit


Then I created an entry as groupOfNames called fg82. I added admin and
myself to that group as a member. As I have
"tenant_tree_dn=ou=ostenants,dc=myproject,dc=org" my goal is to get
the group fg82 as a tenant in keystone.


dn: cn=fg82,ou=ostenants,dc=myproject,dc=org
ufn: fg82, ostenants, myproject.org
objectClass: groupOfNames
cn: fg82
member: uid=admin,ou=People,dc=myproject,dc=org
member: uid=sharif,ou=People,dc=myproject,dc=org

Now, as admin user, from the keystone server when I run this, I can
see this tenant:

# keystone tenant-list
No handlers could be found for logger "keystoneclient.v2_0.client"
+------+------+---------+
|  id  | name | enabled |
+------+------+---------+
| fg82 |      | True    |
+------+------+---------+


but

# keystone user-list
No handlers could be found for logger "keystoneclient.client"
The action you have requested has not been implemented. (HTTP 501)


I can now get details about all the users in LDAP not just these two
which is really cool:


# keystone user-get admin
+----------+-------+
| Property | Value |
+----------+-------+
| id       | admin |
| name     | admin |
+----------+-------+
# keystone user-get sharif
+----------+--------+
| Property | Value  |
+----------+--------+
| id       | sharif |
| name     | Islam  |
+----------+--------+

(Note: using sn here might create some problems with people with the
same last name).

But tenant-get only shows the tenant name.


# keystone tenant-get fg82
+----------+-------+
| Property | Value |
+----------+-------+
| id       | fg82  |
+----------+-------+


How can get a list of all the users who are in tenant fg82? I know the
message says "The action you have requested has not been implemented"
but as keystone can talk to LDAP, there should be a way to retrieve
the list.


- --sharif


- -- 
Sharif Islam
Senior Systems Analyst/Programmer
FutureGrid (http://www.futuregrid.org)
Pervasive Technology Institute, Indiana University Bloomington
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPvBSdAAoJEACffes9SivFzgQH/j6TSsf4nUq73PvBuT/wUY77
XqtehiQvZiiQNT1Xn3m3pmxI0rzL9b8MWD6S7WSh0gqTDpY1Z+Iyvas/8vHyADCy
aome92I6EMLtyzcWbueBxL4OctEZqUPbgHx4G5OS2sbl3dajeOoID7Ro2kf6Hs8/
8l+/GTftVjKtW+/1F2DuCzc2HY+dZTRl6Rtsg2WcjE6uXFoN77bKdhX4y1cg1Egz
8RuhvpRRFe22Hxyggnoz+MNVmV9FLOkijVzYB3RKG7D0L73hs/CU4TBPUG7jsJAs
UNF3JG7QyrZ6IsbEIsjDpCYIG5/vI5k2Y1uzox/llo9mD+SLXu8+rg69DTS24ew=
=q/6w
-----END PGP SIGNATURE-----