
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">On 04/25/2013 03:06 PM, Ryan Lane

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAC9E6cptqR_8ds+d1S8xa1nzixEiGgC5aBiCtbg3j3rOOigcng@mail.gmail.com"

      type="cite">

      <div dir="ltr">On Thu, Apr 25, 2013 at 9:07 AM, Ziad Sawalha <span

          dir="ltr"><<a moz-do-not-send="true"

            href="mailto:ziad@sawalha.com" target="_blank">ziad@sawalha.com</a>></span>

        wrote:<br>

        <div class="gmail_extra">

          <div class="gmail_quote">

            <blockquote class="gmail_quote" style="margin:0 0 0

              .8ex;border-left:1px #ccc solid;padding-left:1ex">+1<br>

              <br>

              Most hosting/cloud providers have something like that; a

              directory with multiple user sets.<br>

              <br>

              Shouldn't that use case be core to Keystone? Having worked

              with many such implementations, I'd like to also hear the

              argument for why it is insanity…<br>

              <div class="HOEnZb">

                <div class="h5"><br>

                </div>

              </div>

            </blockquote>

            <div><br>

            </div>

            <div style="">One directory with multiple user sets, or

              multiple directories with single user sets? Multiple

              directories that should be combined together (this is a

              major nightmare case)?</div>

            <div style=""><br>

            </div>

            <div style="">One directory with multiple user sets is

              doable, and the DIT I suggested supports this use case. It

              should support all API functionality, in fact. Is it worth

              implementing this, though? Is this going to be used enough

              to make it worth the cost of supporting it?</div>

            <div style=""><br>

            </div>

            <div style="">As for the other cases: how to configure any

              of this? You can no longer use the API to create domains,

              because each domain would need LDAP configuration

              information to go with it. So, does this go into the

              configuration files? That would mean every new domain

              would require a keystone service restart. There's a lot of

              complexity involved with this and likely very little gain.<br>

            </div>

            <div style=""><br>

            </div>

            <div style="">- Ryan</div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

OpenStack-dev mailing list

<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    I wish Joe Savak would speak up here as he is the one the pushed for

    the multi-domain LDAP approach that we have now, and that we are

    talking about yanking.  Can someone bug him and get him to respond?<br>

  </body>

</html>