openstack cli doesn't allow admin to add role to user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
Medium
|
Boris Bobrov | ||
9.x |
Invalid
|
Medium
|
Boris Bobrov |
Bug Description
I've deployed MOS 7.0 with Fuel LDAP plugin and trying to use openstack cli to add admin role in the project from `keystone.tld` domain for user from LDAP (in the same domain). And this domain is configured by fuel plugin to use LDAP.
I run on the controller node (the env has only one controller node) the following line:
`openstack --os-token=TOKEN --os-url=http://
and I get `ERROR: openstack No user with a name or ID of 'admin_ad' exists.`. But I can open list of users on the LDAP server and see that admin_ad user is still there.
Then I try to run this command with specified domain name:
`openstack --os-token=TOKEN --os-url=http://
and I obviously get an error: `openstack role add: error: argument --domain: not allowed with argument --project`
If I try to specify domain as an argument for openstack command like this:
`openstack --os-token=TOKEN --os-url=http://
I get error: `ERROR: openstack Invalid command ' --domain=
If I run `openstack --os-token=TOKEN --os-url=http://
And, finaly, I try to list users from domain:
`openstack --os-token=TOKEN --os-url=http://
And I get empty list. But, again, I can open users list on the LDAP server and see that admin_as user is still there, and also there are three another users.
If I try to set --os-domain-name 'openstack --os-token=TOKEN --os-url=http://
So, looks like there is something wrong or inconsistent.
Here is how LDAP is configured with Keystone:
/etc/keystone/
[ldap]
user_allow_
user=cn=
user_filter=
user_name_
user_pass_
user_enabled_
suffix=
password=Pass1234
url=ldap:
user_allow_
user_allow_
user_objectclas
user_tree_
query_scope=sub
user_id_
debug_level=-1
page_size = 50
[identity]
driver=
Changed in mos: | |
assignee: | nobody → MOS Keystone (mos-keystone) |
Changed in mos: | |
status: | Invalid → Incomplete |
tags: | added: keystone ldap |
tags: |
added: area-keystone removed: keystone |
Paul, could you try to add admin role via keystone cli? Does it work?