I've deployed MOS 7.0 with Fuel LDAP plugin and trying to use openstack cli to add admin role in the project from `keystone.tld` domain for user from LDAP (in the same domain). And this domain is configured by fuel plugin to use LDAP.
I run on the controller node (the env has only one controller node) the following line:
`openstack --os-token=TOKEN --os-url=http://172.16.57.52:5000/v3 --os-identity-api-version=3 role add --project=test_LDAP_2 --user=admin_ad admin`
and I get `ERROR: openstack No user with a name or ID of 'admin_ad' exists.`. But I can open list of users on the LDAP server and see that admin_ad user is still there.
Then I try to run this command with specified domain name:
`openstack --os-token=TOKEN --os-url=http://172.16.57.52:5000/v3 --os-identity-api-version=3 role add --project=test_LDAP_2 --user=admin_ad admin --domain=keystone.tld`
and I obviously get an error: `openstack role add: error: argument --domain: not allowed with argument --project`
If I try to specify domain as an argument for openstack command like this:
`openstack --os-token=TOKEN --os-url=http://172.16.57.52:5000/v3 --os-identity-api-version=3 --domain=keystone.tld role add --project=test_LDAP_2 --user=admin_ad admin`
I get error: `ERROR: openstack Invalid command ' --domain=keystone.tld'`
If I run `openstack --os-token=TOKEN --os-url=http://172.16.57.52:5000/v3 role list --os-identity-api-version=3` everything works fine and I get list of roles and admin role is present in that list.
And, finaly, I try to list users from domain:
`openstack --os-token=TOKEN --os-url=http://172.16.57.52:5000/v3 --os-identity-api-version=3 user list --domain=keystone.tld`
And I get empty list. But, again, I can open users list on the LDAP server and see that admin_as user is still there, and also there are three another users.
If I try to set --os-domain-name 'openstack --os-token=TOKEN --os-url=http://172.16.57.52:5000/v3 --os-domain-name=keystone.tld --os-identity-api-version=3 user list' I'll get list of users from default domain (glance, swift, nova, heat, etc).
So, looks like there is something wrong or inconsistent.
Here is how LDAP is configured with Keystone:
/etc/keystone/domains/keystone.keystone.tld.conf contains the followong lines
[ldap]
user_allow_update=False
user=cn=admin_ad,cn=Users,dc=keystone,dc=tld
user_filter=
user_name_attribute=cn
user_pass_attribute=userPassword
user_enabled_attribute=enabled
suffix=dc=keystone,dc=tld
password=Pass1234
url=ldap://172.16.57.78
user_allow_create=False
user_allow_delete=False
user_objectclass=person
user_tree_dn=dc=keystone,dc=tld
query_scope=sub
user_id_attribute=cn
debug_level=-1
page_size = 50
[identity]
driver=keystone.identity.backends.ldap.Identity
Paul, could you try to add admin role via keystone cli? Does it work?