[openstack-dev] Keystone RC1 Bug Question 1209440
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Tue Oct 15 17:05:37 UTC 2013
Hello,
I have a generic question about the logic now available for LDAP users in association with bug 1209440. How do you associate a read-only LDAP user with a domain? LDAP users are not entered into the keystone user table so the only way I can see to associate a user with a domain is to give them a role for the domain so an entry is built for them in the user_domain_metadata table. Am I correct or is there something I am missing?
Regards,
Mark
=====================
https://bugs.launchpad.net/keystone/+bug/1209440
=====================
At keystone/identity/backends/ldap.py:230 we allow mapping domain_id of a user based on the attribute specified in conf.ldap.user_domain_id_attribute which defaults to 'businessCategory'.
My understanding is that this is no longer required and should no longer be allowed and indeed in practice it completely overrides any domain information that is provided in the authentication body.
=====================
commit 668ee718127a9983d4838b868efd44ddf661b533
Author: Morgan Fainberg <m at metacloud.com>
Date: Thu Sep 19 19:53:02 2013 -0700
Remove ldap identity domain attribute options
LDAP Identity backend is not domain aware, and therefore does not
need mappings for the domain attributes for user and group.
closes-bug: 1209440
More information about the OpenStack-dev
mailing list