<html><body>
<p><font size="2" face="sans-serif">The LDAP driver for identity shouldn't require write access to look up groups. It'll only require write access if you want to allow Keystone to create/delete/update new groups.</font><br>
<font size="2" face="sans-serif">Not sure what you mean by "</font><tt><font size="2">requires an LDAP admin to set up groups separately</font></tt><font size="2" face="sans-serif">" either. Have any more details you can share?</font><br>
<font size="2" face="sans-serif"><br>
Thanks,<br>
<br>
Steve Martinelli<br>
OpenStack Keystone Core</font><br>
<br>
<tt><font size="2">Julian Edwards <bigjools@gmail.com> wrote on 2015/07/24 12:00:33 AM:<br>
<br>
> From: Julian Edwards <bigjools@gmail.com></font></tt><br>
<tt><font size="2">> To: openstack-dev@lists.openstack.org</font></tt><br>
<tt><font size="2">> Date: 2015/07/24 12:01 AM</font></tt><br>
<tt><font size="2">> Subject: [openstack-dev] [keystone] LDAP identity driver with groups<br>
> from local DB</font></tt><br>
<tt><font size="2">> <br>
> Hello,<br>
> <br>
> I am relatively new to Openstack and Keystone so please forgive me any<br>
> crazy misunderstandings here.<br>
> <br>
> One of the problems with the existing LDAP Identity driver that I see<br>
> is that for group management it needs write access to the LDAP server,<br>
> or requires an LDAP admin to set up groups separately.<br>
> <br>
> Neither of these are palatable to some larger users with corporate<br>
> LDAP directories, so I'm interested in discussing a solution that<br>
> would get acceptance from core devs.<br>
> <br>
> My initial thoughts are to create a new driver that would store groups<br>
> and their user memberships in the local keystone database, while<br>
> continuing to rely on LDAP for user authentication. The advantages of<br>
> this would be that the standard UI tools could continue to work for<br>
> group manipulation. This is somewhat parallel with ephemeral<br>
> federated user group mappings, but that's all done in the json blob<br>
> which is a bit horrible. (I'd like to see that working with a decent<br>
> UI some time, perhaps it is solved in the same way)<br>
> <br>
> However, one of the other reasons I'm sending this is to gather more<br>
> ideas to solve this. I'd like to hear from anyone in a similar<br>
> position, and anyone with input on how to help.<br>
> <br>
> Cheers,<br>
> Julian.<br>
> <br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> <br>
</font></tt></body></html>