[openstack-dev] [keystone] Custom ProjectID upon creation

Matt Fischer matt at mattfischer.com
Tue Dec 6 02:19:10 UTC 2016

> I'm surprised any AD administrator let Keystone write to it. I've always
> hear the inverse that AD admins never would allow keystone to write to it,
> therefore it was never used for Projects or Assignments. Users were
> likewise read-only when AD was involved.
> I have seen normal LDAP setups work with Keystone and used in both
> read/write mode (but even still the write-allowed was the extreme minority).

Yes agreed. AD administrators are generally pretty protective of write
access. And especially so of some Linux-based open source project writing
into their Windows kingdom. We got over our lack of being able to store
assignment in LDAP, mainly because the blocker was not Keystone, it was
corporate policy.

As for everything else that's been discussed, I think database replication
is easier, and when you're not replicating tokens, there's just not that
much traffic across the WAN. It's been very stable for us, especially since
we started using Fernet tokens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161205/a16ee797/attachment.html>

More information about the OpenStack-dev mailing list