[openstack-dev] [keystone] Suggested LDAP DIT for domains

Ryan Lane rlane at wikimedia.org
Thu Apr 25 19:06:58 UTC 2013

On Thu, Apr 25, 2013 at 9:07 AM, Ziad Sawalha <ziad at sawalha.com> wrote:

> +1
> Most hosting/cloud providers have something like that; a directory with
> multiple user sets.
> Shouldn't that use case be core to Keystone? Having worked with many such
> implementations, I'd like to also hear the argument for why it is insanity…
One directory with multiple user sets, or multiple directories with single
user sets? Multiple directories that should be combined together (this is a
major nightmare case)?

One directory with multiple user sets is doable, and the DIT I suggested
supports this use case. It should support all API functionality, in fact.
Is it worth implementing this, though? Is this going to be used enough to
make it worth the cost of supporting it?

As for the other cases: how to configure any of this? You can no longer use
the API to create domains, because each domain would need LDAP
configuration information to go with it. So, does this go into the
configuration files? That would mean every new domain would require a
keystone service restart. There's a lot of complexity involved with this
and likely very little gain.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130425/cef6b56d/attachment.html>

More information about the OpenStack-dev mailing list