I currently have an Openstack Havana cluster that is running the 2.0 API. I am having some issues integrating my Keystone with my corporate read only LDAP.
I have done the LDAP/SQL split (for identity and assignment) as recommended. When I run the 'keystone user-list' command multiple times, it prints both SQL and LDAP users (i.e. SQL users sometimes and LDAP users sometimes). I don't understand this, as I expect it to fetch user list only from LDAP and not from SQL. What exactly is user-list trying to do internally?
Could there be some other settings in addition to the ones in Keystone.conf [LDAP] that I would need to change?
I also tried doing 'keystone user-role-add' to try and map the LDAP user to a precreated tenant with a member role, but it failed saying the user could not be found, which again means it is trying to look for the user inside SQL instead of inside LDAP
Some people have been talking about using the keystone 3.0 API, but I am yet to find material that guides me on how to install and get this running. What is the procedure to install and configure this? Being new to Linux, I have no idea whatsoever. How will the 3.0 API help me address this issue?
Also, I read that read only LDAP is flaky in Havana. Would migrating to Icehouse help? Was this made more stable in Icehouse?
