+++ This bug was initially created as a clone of Bug #1185960 +++ Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: --- Additional comment from Rich Megginson on 2015-01-26 12:13:36 EST --- When using Keystone with an LDAP identity backend, the default_project_id is not stored in the entry e.g. openstack user list and user show will display an empty project. openstack user role list --project must be used to test if the user is a member of the tenant/project. The puppet-keystone module needs to be aware of how to handle tenant/project when there is an LDAP backend. Note that this particular change also depends on the switch of puppet-keystone to use the openstack client instead of the keystone client.
This patch has been added to the OPM repo https://github.com/stackforge/puppet-keystone/tree/stable/juno Can i have acks in order to build the package?
(In reply to Ivan Chavero from comment #3) > This patch has been added to the OPM repo > https://github.com/stackforge/puppet-keystone/tree/stable/juno > > Can i have acks in order to build the package? Looks like you have the acks - can you build the package now?
Ivan we need this to test Rich's patch for ofi, is there a build we can use at this time? Thanks
Nathan, any meaningful way to test this without an AD/IPA server?
(In reply to Mike Abrams from comment #7) > Nathan, any meaningful way to test this without an AD/IPA server? Do you mean, as opposed to some other LDAP server? You need some sort of LDAP server. I did my testing with "plain" 389: * yum install 389-ds-base * setup-ds.pl - use dc=example,dc=com as the suffix I did my installer testing using packstack. See http://richmegginson.livejournal.com/25156.html
Created attachment 1003267 [details] script to set up ldap server and run packstack I copied and pasted excerpts of a script I use (in a cloud-init) to set up a VM to test puppet code using packstack. This will set up an LDAP server (389) and configure packstack to set up Keystone with an LDAP identity backend. If you uncomment PRECREATE_USERS this will set up Keystone with a read-only LDAP backend, otherwise, it will use read-write.
sanity against the latest puddle connected to an IPA ldap server yields successes across the board. One caveat is that the negative token test for the user portion now fails on 500 and not on 401; see this bug for more information: https://bugzilla.redhat.com/show_bug.cgi?id=1204460 Final result: VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0789.html