<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/28/2014 05:57 AM, Tizy Ninan
wrote:<br>
</div>
<blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thanks for the reply. </div>
<div>I am still not successful in integrating keystone with
active directory. Can you please provide some clarifications
related to the following questions.</div>
<div>1. Currently, my active directory schema does not have
projects/tenants and roles OU. Is it necessary that I need to
create projects/tenants and roles OU in the active directory
schema for the keystone to authenticate to active directory.?</div>
</div>
</blockquote>
No. Set the Assignment driver to SQL, not LDAP.<br>
<br>
<blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>2. We added values to the user_tree_dn.Does the
tenant_tree_dn and role_tree_dn and group_tree_dn fields needs
to be filled in for authenticating?</div>
</div>
</blockquote>
No, tenant values are used for assignment, and you should not be
doing assignments in AD. THose go into SQL.<br>
<br>
<br>
<blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>3.How does the mapping of a user to a project/tenant and
role will be done if I try to use active directory to
authenticate only the users and use the already existing
projects and roles tables in the mysql database? <br>
</div>
</div>
</blockquote>
You need a role assignment, based either on the userid or on a
groupid that the user is in. These are stored in the assignment
backend. <br>
<br>
<br>
<blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Kindly provide me some insight into these questions.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Thanks,</div>
<div class="gmail_extra">Tizy <br>
<br>
<div class="gmail_quote">On Tue, May 20, 2014 at 8:27 AM, Adam
Young <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 05/16/2014 05:08 AM, Tizy Ninan wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>We have an openstack Havana deployment on
CentOS 6.4 and nova-network network service
installed using Mirantis Fuel v4.0. </div>
<div>We are trying to integrate the openstack
setup with the Microsoft Active Directory(LDAP
server). I only have a read access to the
LDAP server.</div>
<div>What will be the minimum changes needed to
be made under the [ldap] tag in keystone.conf
file?Can you please specify what variables
need to be set and what should be the values
for each variable?</div>
<div><br>
</div>
<div>[ldap]</div>
<div># url = <a moz-do-not-send="true">ldap://localhost</a></div>
<div># user = dc=Manager,dc=example,dc=com</div>
<div># password = None</div>
<div># suffix = cn=example,cn=com</div>
<div># use_dumb_member = False</div>
<div># allow_subtree_delete = False</div>
<div># dumb_member = cn=dumb,dc=example,dc=com</div>
<div><br>
</div>
<div># Maximum results per page; a value of zero
('0') disables paging (default)</div>
<div># page_size = 0</div>
<div><br>
</div>
<div># The LDAP dereferencing option for
queries. This can be either 'never',</div>
<div># 'searching', 'always', 'finding' or
'default'. The 'default' option falls</div>
<div># back to using default dereferencing
configured by your ldap.conf.</div>
<div># alias_dereferencing = default</div>
<div><br>
</div>
<div># The LDAP scope for queries, this can be
either 'one'</div>
<div># (onelevel/singleLevel) or 'sub'
(subtree/wholeSubtree)</div>
<div># query_scope = one</div>
<div><br>
</div>
<div># user_tree_dn = ou=Users,dc=example,dc=com</div>
<div># user_filter =</div>
<div># user_objectclass = inetOrgPerson</div>
<div># user_id_attribute = cn</div>
<div># user_name_attribute = sn</div>
<div># user_mail_attribute = email</div>
<div># user_pass_attribute = userPassword</div>
<div># user_enabled_attribute = enabled</div>
<div># user_enabled_mask = 0</div>
<div># user_enabled_default = True</div>
<div># user_attribute_ignore =
default_project_id,tenants</div>
<div># user_default_project_id_attribute =</div>
<div># user_allow_create = True</div>
<div># user_allow_update = True</div>
<div># user_allow_delete = True</div>
<div># user_enabled_emulation = False</div>
<div># user_enabled_emulation_dn =</div>
<div><br>
</div>
<div># tenant_tree_dn =
ou=Projects,dc=example,dc=com</div>
<div># tenant_filter =</div>
<div># tenant_objectclass = groupOfNames</div>
<div># tenant_domain_id_attribute =
businessCategory</div>
<div># tenant_id_attribute = cn</div>
<div># tenant_member_attribute = member</div>
<div># tenant_name_attribute = ou</div>
<div># tenant_desc_attribute = desc</div>
<div># tenant_enabled_attribute = enabled</div>
<div># tenant_attribute_ignore =</div>
<div># tenant_allow_create = True</div>
<div># tenant_allow_update = True</div>
<div># tenant_allow_delete = True</div>
<div># tenant_enabled_emulation = False</div>
<div># tenant_enabled_emulation_dn =</div>
<div><br>
</div>
<div># role_tree_dn = ou=Roles,dc=example,dc=com</div>
<div># role_filter =</div>
<div># role_objectclass = organizationalRole</div>
<div># role_id_attribute = cn</div>
<div># role_name_attribute = ou</div>
<div># role_member_attribute = roleOccupant</div>
<div># role_attribute_ignore =</div>
<div># role_allow_create = True</div>
<div># role_allow_update = True</div>
<div># role_allow_delete = True</div>
<div><br>
</div>
<div># group_tree_dn =</div>
<div># group_filter =</div>
<div># group_objectclass = groupOfNames</div>
<div># group_id_attribute = cn</div>
<div># group_name_attribute = ou</div>
<div># group_member_attribute = member</div>
<div># group_desc_attribute = desc</div>
<div># group_attribute_ignore =</div>
<div># group_allow_create = True</div>
<div># group_allow_update = True</div>
<div># group_allow_delete = True</div>
<div><br>
</div>
<div>Kindly help us to resolve the issue.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Tizy </div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
OpenStack-dev mailing list
<a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
<br>
<a moz-do-not-send="true"
href="http://www.youtube.com/watch?v=w3Yjlmb_68g"
target="_blank">http://www.youtube.com/watch?v=w3Yjlmb_68g</a><br>
<br>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>