[openstack-dev] Using AD for keystone authentication only
Dolph Mathews
dolph.mathews at gmail.com
Thu Nov 14 15:07:28 UTC 2013
You can assign roles to users in keystoneclient ($ keystone help
user-role-add) -- the assignment would be persisted in SQL. openstackclient
supports assignments to groups as well if you switch to
--identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviostack at gmail.com> wrote:
> Oh ok so in this case how does the Active Directory user gets a id , and
> how do you map the user to a role? Is there any example you can point me
> to?
>
>
> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>
>> Yes, that's the preferred approach in Havana: Users and Groups via LDAP,
>> and everything else via SQL.
>>
>>
>> On Wednesday, November 13, 2013, Avi L wrote:
>>
>>> Hi,
>>>
>>> I understand that the LDAP provider in keystone can be used for
>>> authenticating a user (i.e validate username and password) , and it also
>>> authorize it against roles and tenant. However this requires AD schema
>>> modification. Is it possible to use AD only for authentication and then use
>>> keystone's native database for roles and tenant lookup? The advantage is
>>> that then we don't need to touch the enterprise AD installation.
>>>
>>> Thanks
>>> Al
>>>
>>
>>
>> --
>>
>> -Dolph
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131114/9e57abf9/attachment.html>
More information about the OpenStack-dev
mailing list