<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 05/28/2014 05:57 AM, Tizy Ninan
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi,
        <div><br>
        </div>
        <div>Thanks for the reply. </div>
        <div>I am still not successful in integrating keystone with
          active directory. Can you please provide some clarifications
          related to the following questions.</div>
        <div>1. Currently, my active directory schema does not have
          projects/tenants and roles OU. Is it necessary that I need to
          create projects/tenants and roles OU in the active directory
          schema for the keystone to authenticate to active directory.?</div>
      </div>
    </blockquote>
    No.  Set the Assignment driver to SQL, not LDAP.<br>
    <br>
    <blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>2. We added values to the user_tree_dn.Does the
          tenant_tree_dn and role_tree_dn and group_tree_dn fields needs
          to be filled in for authenticating?</div>
      </div>
    </blockquote>
    No, tenant values are used for assignment, and you should not be
    doing assignments in AD.  THose go into SQL.<br>
    <br>
    <br>
    <blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>3.How does the mapping of a user to a project/tenant and
          role will be done if I try to use active directory to
          authenticate only the users and use the already existing
          projects and roles tables in the mysql database?    <br>
        </div>
      </div>
    </blockquote>
    You need a role assignment, based either on the userid or on a 
    groupid that the user is in.  These are stored in the assignment
    backend. <br>
    <br>
    <br>
    <blockquote
cite="mid:CAF_eEGTZns44_JZ686WH6aL-iA1T7MBc3OHLu4B06Ph9a8pSDQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>Kindly provide me some insight into these questions.</div>
        <div class="gmail_extra"><br>
        </div>
        <div class="gmail_extra">Thanks,</div>
        <div class="gmail_extra">Tizy <br>
          <br>
          <div class="gmail_quote">On Tue, May 20, 2014 at 8:27 AM, Adam
            Young <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000">
                <div>
                  <div class="h5">
                    <div>On 05/16/2014 05:08 AM, Tizy Ninan wrote:<br>
                    </div>
                  </div>
                </div>
                <blockquote type="cite">
                  <div>
                    <div class="h5">
                      <div dir="ltr">
                        <div>Hi,</div>
                        <div><br>
                        </div>
                        <div>We have an openstack Havana deployment on
                          CentOS 6.4 and nova-network network service
                          installed using Mirantis Fuel v4.0. </div>
                        <div>We are trying to integrate the openstack
                          setup with the Microsoft Active Directory(LDAP
                          server). I  only have  a read access to the
                          LDAP server.</div>
                        <div>What will be the minimum changes needed to
                          be made under the [ldap] tag in keystone.conf
                          file?Can you please specify what variables
                          need to be set and what should be the values
                          for each variable?</div>
                        <div><br>
                        </div>
                        <div>[ldap]</div>
                        <div># url = <a moz-do-not-send="true">ldap://localhost</a></div>
                        <div># user = dc=Manager,dc=example,dc=com</div>
                        <div># password = None</div>
                        <div># suffix = cn=example,cn=com</div>
                        <div># use_dumb_member = False</div>
                        <div># allow_subtree_delete = False</div>
                        <div># dumb_member = cn=dumb,dc=example,dc=com</div>
                        <div><br>
                        </div>
                        <div># Maximum results per page; a value of zero
                          ('0') disables paging (default)</div>
                        <div># page_size = 0</div>
                        <div><br>
                        </div>
                        <div># The LDAP dereferencing option for
                          queries. This can be either 'never',</div>
                        <div># 'searching', 'always', 'finding' or
                          'default'. The 'default' option falls</div>
                        <div># back to using default dereferencing
                          configured by your ldap.conf.</div>
                        <div># alias_dereferencing = default</div>
                        <div><br>
                        </div>
                        <div># The LDAP scope for queries, this can be
                          either 'one'</div>
                        <div># (onelevel/singleLevel) or 'sub'
                          (subtree/wholeSubtree)</div>
                        <div># query_scope = one</div>
                        <div><br>
                        </div>
                        <div># user_tree_dn = ou=Users,dc=example,dc=com</div>
                        <div># user_filter =</div>
                        <div># user_objectclass = inetOrgPerson</div>
                        <div># user_id_attribute = cn</div>
                        <div># user_name_attribute = sn</div>
                        <div># user_mail_attribute = email</div>
                        <div># user_pass_attribute = userPassword</div>
                        <div># user_enabled_attribute = enabled</div>
                        <div># user_enabled_mask = 0</div>
                        <div># user_enabled_default = True</div>
                        <div># user_attribute_ignore =
                          default_project_id,tenants</div>
                        <div># user_default_project_id_attribute =</div>
                        <div># user_allow_create = True</div>
                        <div># user_allow_update = True</div>
                        <div># user_allow_delete = True</div>
                        <div># user_enabled_emulation = False</div>
                        <div># user_enabled_emulation_dn =</div>
                        <div><br>
                        </div>
                        <div># tenant_tree_dn =
                          ou=Projects,dc=example,dc=com</div>
                        <div># tenant_filter =</div>
                        <div># tenant_objectclass = groupOfNames</div>
                        <div># tenant_domain_id_attribute =
                          businessCategory</div>
                        <div># tenant_id_attribute = cn</div>
                        <div># tenant_member_attribute = member</div>
                        <div># tenant_name_attribute = ou</div>
                        <div># tenant_desc_attribute = desc</div>
                        <div># tenant_enabled_attribute = enabled</div>
                        <div># tenant_attribute_ignore =</div>
                        <div># tenant_allow_create = True</div>
                        <div># tenant_allow_update = True</div>
                        <div># tenant_allow_delete = True</div>
                        <div># tenant_enabled_emulation = False</div>
                        <div># tenant_enabled_emulation_dn =</div>
                        <div><br>
                        </div>
                        <div># role_tree_dn = ou=Roles,dc=example,dc=com</div>
                        <div># role_filter =</div>
                        <div># role_objectclass = organizationalRole</div>
                        <div># role_id_attribute = cn</div>
                        <div># role_name_attribute = ou</div>
                        <div># role_member_attribute = roleOccupant</div>
                        <div># role_attribute_ignore =</div>
                        <div># role_allow_create = True</div>
                        <div># role_allow_update = True</div>
                        <div># role_allow_delete = True</div>
                        <div><br>
                        </div>
                        <div># group_tree_dn =</div>
                        <div># group_filter =</div>
                        <div># group_objectclass = groupOfNames</div>
                        <div># group_id_attribute = cn</div>
                        <div># group_name_attribute = ou</div>
                        <div># group_member_attribute = member</div>
                        <div># group_desc_attribute = desc</div>
                        <div># group_attribute_ignore =</div>
                        <div># group_allow_create = True</div>
                        <div># group_allow_update = True</div>
                        <div># group_allow_delete = True</div>
                        <div><br>
                        </div>
                        <div>Kindly help us to resolve the issue.</div>
                        <div><br>
                        </div>
                        <div>Thanks,</div>
                        <div>Tizy </div>
                        <div><br>
                        </div>
                      </div>
                      <br>
                      <fieldset></fieldset>
                      <br>
                    </div>
                  </div>
                  <pre>_______________________________________________
OpenStack-dev mailing list
<a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
                </blockquote>
                <br>
                <br>
                <a moz-do-not-send="true"
                  href="http://www.youtube.com/watch?v=w3Yjlmb_68g"
                  target="_blank">http://www.youtube.com/watch?v=w3Yjlmb_68g</a><br>
                <br>
              </div>
              <br>
              _______________________________________________<br>
              OpenStack-dev mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
              <a moz-do-not-send="true"
                href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
              <br>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>