← Back to team overview

openstack team mailing list archive

Re: Help with keystone LDAP backend

 

I'd suggest enabling debug=True in keystone.conf and comparing the LDAP
queries being issued (shown in logs) against what you're expecting.

I believe that [ldap] query_scope=sub does in fact expand queries to apply
to subtrees, beyond just a single level (as the default value is
query_scope=one).


-Dolph


On Sun, Mar 3, 2013 at 12:05 PM, Steven Presser <spresse1@xxxxxxx> wrote:

> Hey all,
>     I have some questions about using the LDAP backend for keystone.  I'm
> in what seems to be an odd situation.  I have an organization-wide DLAP
> directory that already exists.  All of our users will have access to
> OpenStack, so we want to tie directly into this directory.  However, we
> can't have service accounts mixed in with the regular users, at least not
> in any way that might result in you being able to log in to a service
> account.  For neatness, the directory admin would prefer that all the
> OpenStack stuff be off in its own OU (and has allocated us one so we can do
> that).
>     In that OU, I've set up the recommended schema from
> http://docs.openstack.org/**trunk/openstack-compute/admin/**
> content/configuring-keystone-**for-ldap-backend.html<http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html>(changing it to my domain, obviously).  I then aliased all our users in to
> ou=Users.  The relevant part of my keystone.conf currently looks like:
>
> [ldap]
> url = ldap://[host]
> user = cn=admin,ou=OpenStack,dc=acm,**dc=jhu,dc=edu
> password = [password]
> suffix = dc=acm,dc=jhu,dc=edu
> use_dumb_member = False
> allow_subtree_delete = False
> query_scope = sub
>
> As near as I can tell, this should correspond to this query:
> $ ldapsearch -x  -D cn=admin,ou=OpenStack,dc=acm,**dc=jhu,dc=edu -w
> [password]  -b dc=acm,dc=jhu,dc=edu '(objectclass=inetOrgPerson)' -s sub
>
> Which returns my aliased users correctly.  (that is, it returns "dn:
> uid=[uid],ou=People,dc=acm,dc=**jhu,dc=edu" for each user).
>
> I really can't figure out whats going on here.  Logically, this should
> work, but (obviously) doesn't.  Anyone have some advice for me?   My
> suspicion is that query_scope=sub isn't doing what I expect.  (Returning
> search results from within a subtree)
>
> Oh, finally, I have DEREF always enabled in ldap.conf.
>
> Thanks,
> Steve
>
>
>
> ______________________________**_________________
> Mailing list: https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> More help   : https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp>
>

Follow ups

References