openstackgerrit | Eric Brown proposed openstack/keystone: Add the deprecated_since to deprecate options https://review.openstack.org/365174 | 00:04 |
---|---|---|
openstackgerrit | Eric Brown proposed openstack/keystone: Add the deprecated_since to deprecated options https://review.openstack.org/365174 | 00:05 |
openstackgerrit | Eric Brown proposed openstack/keystone: Add the deprecated_since to deprecated options https://review.openstack.org/365174 | 00:07 |
*** dikonoo has joined #openstack-keystone | 00:07 | |
*** asettle has quit IRC | 00:10 | |
*** dikonoo has quit IRC | 00:12 | |
*** gyee has quit IRC | 00:14 | |
*** sdake has quit IRC | 00:16 | |
*** ddieterly has joined #openstack-keystone | 00:19 | |
openstackgerrit | Sean Perry proposed openstack/keystone: Project domain must match role domain for assignment https://review.openstack.org/365177 | 00:20 |
*** sdake has joined #openstack-keystone | 00:21 | |
*** adrian_otto has quit IRC | 00:29 | |
*** ddieterly has quit IRC | 00:31 | |
*** su_zhang has joined #openstack-keystone | 00:34 | |
*** ddieterly has joined #openstack-keystone | 00:41 | |
*** roxanaghe has quit IRC | 00:49 | |
*** su_zhang has quit IRC | 00:51 | |
*** ddieterly has quit IRC | 00:58 | |
*** su_zhang has joined #openstack-keystone | 01:00 | |
*** ddieterly has joined #openstack-keystone | 01:02 | |
*** markvoelker has joined #openstack-keystone | 01:07 | |
*** su_zhang has quit IRC | 01:08 | |
*** su_zhang has joined #openstack-keystone | 01:08 | |
*** su_zhang has quit IRC | 01:12 | |
*** markvoelker has quit IRC | 01:13 | |
*** spzala has joined #openstack-keystone | 01:45 | |
*** spzala has quit IRC | 01:50 | |
*** ddieterly has quit IRC | 02:06 | |
*** ddieterly has joined #openstack-keystone | 02:17 | |
*** spedione|AWAY is now known as spedione | 02:27 | |
*** ddieterly has quit IRC | 02:39 | |
*** spzala has joined #openstack-keystone | 02:40 | |
*** spedione is now known as spedione|AWAY | 02:43 | |
*** ddieterly has joined #openstack-keystone | 02:45 | |
*** ddieterly has quit IRC | 02:59 | |
*** woodster_ has quit IRC | 02:59 | |
openstackgerrit | JiWei proposed openstack/keystoneauth: Raise NotImplementedError instead of NotImplemented https://review.openstack.org/365194 | 03:08 |
*** markvoelker has joined #openstack-keystone | 03:09 | |
*** asettle has joined #openstack-keystone | 03:13 | |
*** spzala has quit IRC | 03:13 | |
*** markvoelker has quit IRC | 03:14 | |
openstackgerrit | JiWei proposed openstack/keystoneauth: Raise NotImplementedError instead of NotImplemented https://review.openstack.org/365195 | 03:14 |
*** asettle has quit IRC | 03:21 | |
openstackgerrit | JiWei proposed openstack/keystone: Raise NotImplementedError instead of NotImplemented https://review.openstack.org/365196 | 03:27 |
*** sdake_ has joined #openstack-keystone | 03:38 | |
*** sdake has quit IRC | 03:41 | |
*** sdake_ has quit IRC | 03:58 | |
*** links has joined #openstack-keystone | 04:15 | |
openstackgerrit | ayoung proposed openstack/keystone: No Op provider for credential encryption https://review.openstack.org/365087 | 04:19 |
*** sdake has joined #openstack-keystone | 04:55 | |
*** adam_g has quit IRC | 04:58 | |
*** adam_g has joined #openstack-keystone | 05:02 | |
*** adam_g has quit IRC | 05:02 | |
*** adam_g has joined #openstack-keystone | 05:02 | |
*** markvoelker has joined #openstack-keystone | 05:10 | |
*** sdake has quit IRC | 05:14 | |
*** markvoelker has quit IRC | 05:14 | |
openstackgerrit | JiWei proposed openstack/keystone: Raise NotImplementedError instead of NotImplemented https://review.openstack.org/365196 | 05:19 |
*** su_zhang has joined #openstack-keystone | 05:38 | |
*** richm has quit IRC | 05:39 | |
*** maestropandy has joined #openstack-keystone | 05:39 | |
*** snecklifter has quit IRC | 05:50 | |
*** sdake has joined #openstack-keystone | 06:10 | |
*** su_zhang has quit IRC | 06:16 | |
*** su_zhang has joined #openstack-keystone | 06:17 | |
*** su_zhang has quit IRC | 06:21 | |
*** tesseract- has joined #openstack-keystone | 06:39 | |
*** sdake has quit IRC | 06:50 | |
*** markvoelker has joined #openstack-keystone | 07:11 | |
*** markvoelker has quit IRC | 07:15 | |
*** asettle has joined #openstack-keystone | 07:19 | |
*** asettle has quit IRC | 07:27 | |
*** chrichip has quit IRC | 07:46 | |
*** chrichip has joined #openstack-keystone | 07:47 | |
*** zzzeek has quit IRC | 08:00 | |
*** zzzeek has joined #openstack-keystone | 08:00 | |
*** maestropandy has quit IRC | 08:01 | |
*** esp has joined #openstack-keystone | 08:07 | |
openstackgerrit | Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435 | 08:10 |
*** esp has quit IRC | 08:11 | |
*** asettle has joined #openstack-keystone | 08:44 | |
*** sdake has joined #openstack-keystone | 08:45 | |
*** asettle has quit IRC | 09:00 | |
*** markvoelker has joined #openstack-keystone | 09:11 | |
*** markvoelker has quit IRC | 09:16 | |
*** sdake has quit IRC | 09:59 | |
*** cnf has joined #openstack-keystone | 10:02 | |
cnf | morning everyone | 10:04 |
*** richm has joined #openstack-keystone | 10:11 | |
*** ayoung has quit IRC | 10:40 | |
*** ayoung has joined #openstack-keystone | 10:50 | |
*** ChanServ sets mode: +v ayoung | 10:50 | |
*** stian_ has quit IRC | 11:00 | |
cnf | can anyone help me get keystone working with ldap? | 11:05 |
dstanek | cnf: go ahead and ask your questions and i'm sure someone that can help will once they come along | 11:06 |
cnf | not sure what to ask, I followed http://docs.openstack.org/admin-guide/keystone-integrate-with-ldap.html, and now I have no idea how to proceed | 11:07 |
dstanek | cnf: what's the issue that you are having? | 11:08 |
cnf | I have no idea how to talk to keystone, I have no idea if this is because i am missing data in ldap or something | 11:08 |
dstanek | what happens why you try to auth using one of your accounts from ldap? | 11:09 |
*** joerch has quit IRC | 11:10 | |
dstanek | cnf: just an fyi, i'll help while i can, but today is a travel day for me | 11:10 |
cnf | keystone --os-token <token> user-list gives me deprecation warning, and 500 errors | 11:10 |
dstanek | cnf: where did the token come from? | 11:11 |
cnf | it's set in /etc/keystone/keystone.conf | 11:11 |
dstanek | cnf: also did you look in the keystone log to checkout the 500s? | 11:11 |
dstanek | cnf: that's not going to be using ldap for auth then....also user list for ldap isn't a great experience. i think we have a hard limit of how many to return | 11:12 |
*** markvoelker has joined #openstack-keystone | 11:12 | |
cnf | dstanek: well, sure, but I don't know how to set up ldap yet | 11:13 |
cnf | i have no idea what is expected in ldap | 11:13 |
cnf | i tried horizon first, but that just kept telling me there was no domain "default" | 11:14 |
dstanek | cnf: so you don't have an existing ldap? | 11:14 |
cnf | I do | 11:14 |
dstanek | cnf: did you configure the [ldap] section in your keystone.conf? | 11:15 |
cnf | oh, I did :P | 11:15 |
cnf | 2016-09-03 11:15:06.758 42 ERROR keystone.auth.plugins.core DomainNotFound: Could not find domain: default | 11:15 |
cnf | is what I get when I try horizon | 11:15 |
cnf | i'm guessing i need to set it in ldap, but I have no idea what the format is supposed to be | 11:16 |
dstanek | then your next step should be to turn on debugging and try to auth to keystone using an ldap account | 11:16 |
cnf | dstanek: well, I did | 11:17 |
cnf | and the error i get is the one i pasted above | 11:17 |
*** markvoelker has quit IRC | 11:17 | |
dstanek | cnf: domains shouldn't be in ldap. | 11:18 |
cnf | well, then I don't know how to fix that error | 11:18 |
cnf | I need to authenticate to add a domain, but I can't authenticate because it doesn't know the domain | 11:19 |
cnf | hence I was trying the token | 11:19 |
dstanek | and what is in the log when you use the token? | 11:19 |
dstanek | a 500 should log a traceback | 11:19 |
dstanek | i'm not really familiar with those guides so i don't know how they tell you to create the default domain. | 11:20 |
dstanek | there are really two ways. one is using the magic admin token, which appears to be what you are doing and the other is 'keystone-manager bootstrap' | 11:21 |
cnf | they don't | 11:21 |
cnf | default domain isn't mentioned | 11:21 |
dstanek | oops....keystone-manage | 11:21 |
cnf | keystone-manage bootstrap just gives me loads of tracebacks | 11:22 |
dstanek | cnf: i think you want to be following an installation guide to install keystone, but i'm not sure | 11:22 |
cnf | there are too many installation guides | 11:23 |
cnf | i followed one of them, I can't even remember which one | 11:23 |
dstanek | cnf: for example in the install guide for ubuntu http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-users.html | 11:23 |
dstanek | cnf: pick one :-) | 11:23 |
dstanek | that's the old way, but it should work fine | 11:23 |
cnf | well, that won't work, because i can't auth | 11:24 |
dstanek | cnf: i'm not sure why your admin token wouldn't work....do you have the middleware setup? | 11:24 |
cnf | not that I know of | 11:25 |
cnf | oh, hmm | 11:25 |
cnf | ugh, I think the guide I followed for ldap had a setup for a single domain | 11:25 |
cnf | Multiple domains are not supported (HTTP 400) | 11:26 |
cnf | hmm, ldap doesn't support multiple domains well, it seems | 11:30 |
cnf | I think, anyway | 11:30 |
cnf | I just want to get swift working ^^; | 11:33 |
cnf | hmm, and turing off domain support isn't that easy, it seems | 11:36 |
cnf | ugh | 11:38 |
cnf | if I turn off domains, i get errors, if I turn it on i get errors | 11:38 |
cnf | yeah, I don't understand this | 11:41 |
cnf | hmm, i cant find a combination of settings that makes this work :( | 11:48 |
cnf | hmm, so v3 _always_ need a domain | 11:51 |
cnf | and ldap backend doesn't really do domains | 11:51 |
cnf | so i'm basically screwed | 11:51 |
*** ddieterly has joined #openstack-keystone | 11:52 | |
dstanek | i think both v2 and v3 will both need a domain to function | 11:59 |
dstanek | v3 calls use the domain explicitly, whereas v2 implicitly use the default domain | 11:59 |
dstanek | but i think in both cases you need that domain there | 11:59 |
cnf | hmz | 12:03 |
cnf | 2016-09-03 12:03:31.924 513 DEBUG keystone.middleware.auth [req-fb716f3d-26ef-42ad-9677-3a980c3767f9 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71 | 12:04 |
cnf | i get now, from horizon | 12:04 |
cnf | no, i get it from keystone, trying to log in from horizon | 12:04 |
cnf | hmz, it keeps stubeling on the domain | 12:09 |
cnf | I can only assume i'm doing something very stupid, or ldap support doesn't actually work anymore in keystone | 12:10 |
*** links has quit IRC | 12:16 | |
*** chlong has joined #openstack-keystone | 12:17 | |
*** stian_ has joined #openstack-keystone | 12:22 | |
*** ddieterly has quit IRC | 12:42 | |
*** ddieterly has joined #openstack-keystone | 12:51 | |
*** ddieterly has quit IRC | 12:57 | |
*** ddieterly has joined #openstack-keystone | 13:04 | |
*** EinstCrazy has joined #openstack-keystone | 13:07 | |
*** ddieterly is now known as ddieterly[away] | 13:10 | |
*** markvoelker has joined #openstack-keystone | 13:13 | |
*** ddieterly[away] is now known as ddieterly | 13:14 | |
*** markvoelker has quit IRC | 13:17 | |
*** ddieterly is now known as ddieterly[away] | 13:21 | |
*** markvoelker has joined #openstack-keystone | 13:22 | |
cnf | yeah, I can't get this working without some help | 13:23 |
*** su_zhang has joined #openstack-keystone | 13:27 | |
*** ddieterly[away] has quit IRC | 13:30 | |
*** su_zhang has quit IRC | 13:48 | |
*** su_zhang has joined #openstack-keystone | 13:49 | |
*** ddieterly has joined #openstack-keystone | 13:53 | |
*** su_zhang has quit IRC | 13:53 | |
*** ddieterly has quit IRC | 14:01 | |
*** ddieterly has joined #openstack-keystone | 14:02 | |
*** ddieterly has quit IRC | 14:02 | |
*** ddieterly has joined #openstack-keystone | 14:39 | |
*** ddieterly has quit IRC | 14:44 | |
*** phalmos has joined #openstack-keystone | 14:59 | |
*** phalmos has quit IRC | 15:04 | |
*** EinstCrazy has quit IRC | 15:06 | |
*** ddieterly has joined #openstack-keystone | 15:11 | |
*** ddieterly has quit IRC | 15:14 | |
*** tesseract- has quit IRC | 15:38 | |
*** markvoelker has quit IRC | 15:39 | |
*** ddieterly has joined #openstack-keystone | 15:41 | |
*** lamt has quit IRC | 15:49 | |
*** ddieterly has quit IRC | 16:30 | |
*** chlong has quit IRC | 16:35 | |
*** ddieterly has joined #openstack-keystone | 16:41 | |
*** ddieterly is now known as ddieterly[away] | 16:43 | |
*** su_zhang has joined #openstack-keystone | 16:44 | |
*** su_zhang has quit IRC | 16:45 | |
*** su_zhang has joined #openstack-keystone | 16:45 | |
*** su_zhang has quit IRC | 16:50 | |
*** su_zhang has joined #openstack-keystone | 16:51 | |
cnf | anyone that can help me with this domain thing, and ldap for keystone? | 16:57 |
*** su_zhang has quit IRC | 17:34 | |
*** ddieterly[away] is now known as ddieterly | 17:41 | |
cnf | does keystone not query ldap for projects and roles? | 17:44 |
*** ddieterly has quit IRC | 17:45 | |
breton | v2 doesn't accept information about domains at all afaik | 17:46 |
breton | i also think that storing projects and roles in LDAP is either deprecated a long time ago or removed | 17:47 |
cnf | hmz | 17:47 |
cnf | dammit | 17:47 |
cnf | i can't get any of this to work | 17:48 |
cnf | breton: and if project / roles in ldap was remove, then why was the tenant_tree_dn renamed to project_tree_dn not so long ago? | 17:49 |
cnf | removed* | 17:49 |
*** sdake has joined #openstack-keystone | 17:50 | |
*** wasmum has quit IRC | 17:50 | |
breton | cnf: no idea, bulk rename maybe | 17:51 |
cnf | hmm | 17:51 |
cnf | wonder why that was removed :/ | 17:51 |
breton | many reasons. Why do you want to store projects and roles in LDAP? | 17:52 |
cnf | because I want all administration to go through ldap | 17:54 |
cnf | instead of needing 2 places to manage things | 17:55 |
cnf | i can't get either to work, though | 17:55 |
cnf | i can get as far as seeing my users and groups with openstack user list and openstack group list with the service token | 17:58 |
cnf | can't get horizon to log in, at all | 17:59 |
cnf | not sure what to do now | 17:59 |
cnf | if I don't enable multi domain support, I can't add roles or projects | 18:01 |
cnf | if i enable it, I can't log in with anything | 18:02 |
*** wasmum has joined #openstack-keystone | 18:02 | |
cnf | yep, enable multi domain, now horizon just gives me trace backs | 18:11 |
cnf | o,O | 18:11 |
cnf | raise exceptions.EmptyCatalog('The service catalog is empty.') | 18:13 |
cnf | hmz, this is depressing | 18:16 |
*** sdake has quit IRC | 18:18 | |
cnf | I can't get auth working in any way against ldap :/ | 18:21 |
*** markvoelker has joined #openstack-keystone | 18:40 | |
*** markvoelker has quit IRC | 18:45 | |
*** joerch has joined #openstack-keystone | 19:15 | |
*** sdake has joined #openstack-keystone | 19:21 | |
*** joerch has quit IRC | 19:22 | |
*** diltram_ has joined #openstack-keystone | 19:23 | |
*** diltram has quit IRC | 19:23 | |
*** diltram_ is now known as diltram | 19:24 | |
*** ddieterly has joined #openstack-keystone | 19:26 | |
*** ddieterly has quit IRC | 19:31 | |
*** sdake has quit IRC | 19:37 | |
*** ddieterly has joined #openstack-keystone | 19:42 | |
*** ddieterly has quit IRC | 20:00 | |
*** ddieterly has joined #openstack-keystone | 20:05 | |
*** ddieterly has quit IRC | 20:12 | |
*** ddieterly has joined #openstack-keystone | 20:21 | |
*** ddieterly has quit IRC | 20:24 | |
*** ddieterly has joined #openstack-keystone | 20:26 | |
*** sdake has joined #openstack-keystone | 20:33 | |
*** ddieterly has quit IRC | 20:40 | |
*** markvoelker has joined #openstack-keystone | 20:41 | |
*** markvoelker has quit IRC | 20:46 | |
*** sdake has quit IRC | 20:50 | |
*** ddieterly has joined #openstack-keystone | 20:52 | |
*** ddieterly has quit IRC | 20:56 | |
*** adrian_otto has joined #openstack-keystone | 21:07 | |
*** ddieterly has joined #openstack-keystone | 21:08 | |
*** ianw has quit IRC | 21:13 | |
*** ddieterly has quit IRC | 21:15 | |
*** ianw has joined #openstack-keystone | 22:27 | |
dstanek | cnf: if you want to just get a test environment setup use devstack. if you set the right env vars it'll setup ldap for you | 22:32 |
cnf | i just want to get i played with devstack last week | 22:33 |
cnf | that was all sorts of hell | 22:33 |
cnf | and I just want a working swift install | 22:34 |
*** ninag has joined #openstack-keystone | 22:34 | |
*** ninag has quit IRC | 22:34 | |
*** adrian_otto has quit IRC | 22:38 | |
*** ianw has quit IRC | 22:41 | |
*** markvoelker has joined #openstack-keystone | 22:42 | |
*** markvoelker has quit IRC | 22:47 | |
*** kragniz has quit IRC | 22:47 | |
*** kragniz has joined #openstack-keystone | 22:50 | |
*** EinstCrazy has joined #openstack-keystone | 22:51 | |
*** ninag has joined #openstack-keystone | 22:52 | |
*** ninag has quit IRC | 22:52 | |
*** EinstCrazy has quit IRC | 22:55 | |
*** bigjools has quit IRC | 23:05 | |
*** bigjools has joined #openstack-keystone | 23:09 | |
*** sdake has joined #openstack-keystone | 23:10 | |
*** roxanaghe has joined #openstack-keystone | 23:16 | |
*** sdake has quit IRC | 23:18 | |
*** ianw has joined #openstack-keystone | 23:20 | |
*** ianw has quit IRC | 23:28 | |
*** richm has quit IRC | 23:31 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!