[openstack-dev] [keystone] Suggested LDAP DIT for domains

Ryan Lane rlane at wikimedia.org
Tue Apr 23 22:26:35 UTC 2013


In the above, everything exists under ou=domains. In the case an operator
wants to use only one single (default) domain, they'd set their
configuration to use the root, rather than ou=domains, and would move
everything up a level. Otherwise, a default domain exists as a normal
domain in the tree.

In this DIT configuration, domains have roles and projects, projects have
roles. Projects and roles have members. I believe there was discussion of
implying membership in the project by membership of the roles. I'm not a
huge fan of that, but I can modify this design if that's the preferred

There's some major benefits of designing the DIT in this way:

1. It's possible to scope searches by depth and base to limit searches to
domains and project and to find roles for domains and projects.
2. The DIT can be extended by LDAP administrators for other uses. I can
give you a ton of examples, as I'm doing this currently for per-project
sudoers, service and group users, etc..
3. Users, groups, and projects have no requirements for being globally
unique. They are only unique per domain.
4. For operators using the current implementation who don't want multiple
domains, this is backwards compatible.
5. For operators wanting to using multiple domains, they simply need to
move their tree a level deeper. Of course this isn't a simple change, but
it should be a matter of configuration for their applications, rather than
development effort.
6. Domains are a matter of hierarchy, and this uses LDAP's natural


Ryan Lane
Wikimedia Labs Lead
Wikimedia Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130423/6de2937b/attachment.html>

More information about the OpenStack-dev mailing list