[openstack-dev] Using AD for keystone authentication only
aviostack at gmail.com
Thu Nov 14 18:17:28 UTC 2013
Thanks for your help. So in this case the uid parameter to user-role-add
will be any of the AD attribute that I specify in the keystone.conf file ,
i.e sAMAccountname? Also I assume that in this case there will be no
entries of the user in the local sql users table , nor would any id
assigned to individual users by keystone? Also in this case will user-list
show all the users in the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for centOS/RHEL?
On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
> You can assign roles to users in keystoneclient ($ keystone help
> user-role-add) -- the assignment would be persisted in SQL. openstackclient
> supports assignments to groups as well if you switch to
> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviostack at gmail.com> wrote:
>> Oh ok so in this case how does the Active Directory user gets a id , and
>> how do you map the user to a role? Is there any example you can point me
>> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <dolph.mathews at gmail.com
>> > wrote:
>>> Yes, that's the preferred approach in Havana: Users and Groups via
>>> LDAP, and everything else via SQL.
>>> On Wednesday, November 13, 2013, Avi L wrote:
>>>> I understand that the LDAP provider in keystone can be used for
>>>> authenticating a user (i.e validate username and password) , and it also
>>>> authorize it against roles and tenant. However this requires AD schema
>>>> modification. Is it possible to use AD only for authentication and then use
>>>> keystone's native database for roles and tenant lookup? The advantage is
>>>> that then we don't need to touch the enterprise AD installation.
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev