<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Matt,<div class=""><br class=""></div><div class="">Your hybrid driver seems to be doing something different than what Julian was asking - namely providing some “automatic role assignments” for users stored in LDAP (unless I am not understanding your patch)? I guess you could argue that’s a restricted version of being able to create group memberships outside of LDAP (which is Julian what I think you are asking for….), but probably a somewhat different use case?</div><div class=""><br class=""></div><div class="">Henry<br class=""><div><blockquote type="cite" class=""><div class="">On 24 Jul 2015, at 05:51, Matt Fischer <<a href="mailto:matt@mattfischer.com" class="">matt@mattfischer.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Julian,<div class=""><br class=""></div><div class="">You want this hybrid backend driver. Bind against LDAP for auth, store everything else in mysql:</div><div class=""><br class=""></div><div class=""><a href="https://github.com/SUSE-Cloud/keystone-hybrid-backend" class="">https://github.com/SUSE-Cloud/keystone-hybrid-backend</a><br class=""></div><div class=""><br class=""></div><div class="">We maintain our own fork with has a few small differences. I do not use the assignment portion of the driver and I'm not sure anyone does so keep that in mind.</div><div class=""><br class=""></div><div class="">I know some of the Keystone team has pretty strong opinions about this but it works for us.</div><div class=""><br class=""></div><div class="">And nice to run into you again...</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Jul 23, 2015 at 10:00 PM, Julian Edwards <span dir="ltr" class=""><<a href="mailto:bigjools@gmail.com" target="_blank" class="">bigjools@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br class="">
<br class="">
I am relatively new to Openstack and Keystone so please forgive me any<br class="">
crazy misunderstandings here.<br class="">
<br class="">
One of the problems with the existing LDAP Identity driver that I see<br class="">
is that for group management it needs write access to the LDAP server,<br class="">
or requires an LDAP admin to set up groups separately.<br class="">
<br class="">
Neither of these are palatable to some larger users with corporate<br class="">
LDAP directories, so I'm interested in discussing a solution that<br class="">
would get acceptance from core devs.<br class="">
<br class="">
My initial thoughts are to create a new driver that would store groups<br class="">
and their user memberships in the local keystone database, while<br class="">
continuing to rely on LDAP for user authentication. The advantages of<br class="">
this would be that the standard UI tools could continue to work for<br class="">
group manipulation. This is somewhat parallel with ephemeral<br class="">
federated user group mappings, but that's all done in the json blob<br class="">
which is a bit horrible. (I'd like to see that working with a decent<br class="">
UI some time, perhaps it is solved in the same way)<br class="">
<br class="">
However, one of the other reasons I'm sending this is to gather more<br class="">
ideas to solve this. I'd like to hear from anyone in a similar<br class="">
position, and anyone with input on how to help.<br class="">
<br class="">
Cheers,<br class="">
Julian.<br class="">
<br class="">
__________________________________________________________________________<br class="">
OpenStack Development Mailing List (not for usage questions)<br class="">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" rel="noreferrer" target="_blank" class="">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br class="">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank" class="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br class="">
</blockquote></div><br class=""></div>
__________________________________________________________________________<br class="">OpenStack Development Mailing List (not for usage questions)<br class="">Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org" class="">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br class=""><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" class="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br class=""></div></blockquote></div><br class=""></div></body></html>