[openstack-dev] [keystone] Suggested LDAP DIT for domains

Simo Sorce simo at redhat.com
Thu Apr 25 14:56:30 UTC 2013

On Thu, 2013-04-25 at 10:45 -0400, Adam Young wrote:
> OK,  so Ryan has convinced me that multiple LDAP servers under the same 
> Keystone is an incantation for self induced insanity.
> Based on conversations with the other devs, we are going to enforce that 
> there is only one LDAP server per keystone, and limit the number of 
> domains it can support to one.
> There can be only one.

I would like to hear what is the argument that convinced you here ?

The reason you have multiple domains is that you have the need for
multiple user-sets, that seem to lend naturally to cover the case where
an organization have multiple set of users in different LDAP servers, so
that you may want to use one LDAP server for one domain and another for
another domain.

Where does this argument breaks ?

> The APIs for Domains will still be implemented, but creating or 
> modifying a domain will be return an Not implemented return code. There 
> will be a single domain object that will be immutable, although we may 
> allow initializing it from config file values.

Oh, so no support for multiple domains at all ? Odd, seem this will make
your LDAP backend a second class citizen and a non viable choice in some
deployment. Not complaining just acknowledging.

> Why are we "yanking" a feature like this? Quite simply, because the vast 
> majority of LDAP deployments out there will not use it, and will not 
> support the approach we have started.  We would rather focus on solving 
> the real needs of the LDAP users.  Most people cannot write to their 
> LDAP servers, and those that can often don't have the power to change 
> the schema.  Thus far, the LDAP work has kept this design in mind, but 
> Domains forced us to marry up two inconstant views of the world.
> Multiple domains will still be supported in the SQL backend.
> Organizations that require multiple LDAP servers were not served by the 
> existing implementation.  Those will require a different solution. Each 
> will get their own Keystone server, and we will use the approach 
> sketched out in other blueprints to ensure that they can co-exist in a 
> single Open Stack deployment.

I guess the read-only LDAP case can still be used for multiple domains
if keystone specific data is kept in a Kystone database ?

If that's the case I think your choice will make sense.


Simo Sorce * Red Hat, Inc * New York

More information about the OpenStack-dev mailing list