<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 08/19/2015 04:23 AM, Jesse Pretorius

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAGSrQvyjtftUqKMkGAgAFHZ9qnFKy_Dkbf_ctnB=5wfHi+3MNA@mail.gmail.com"

      type="cite">

      <div dir="ltr"><br>

        <div class="gmail_extra">

          <div class="gmail_quote">On 12 August 2015 at 18:48, Adam

            Young <span dir="ltr"><<a moz-do-not-send="true"

                href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>

            wrote:<br>

            <blockquote class="gmail_quote" style="margin:0 0 0

              .8ex;border-left:1px #ccc solid;padding-left:1ex">

              <div text="#000000" bgcolor="#FFFFFF"><span class="">

                  <div><br>

                  </div>

                  <blockquote type="cite">

                    <div dir="ltr"> </div>

                  </blockquote>

                </span> The simplest one is Kerberos + SSSD;<br>

                <br>

                Kerberos provides Authentication.<br>

                mod_lookup_identity uses SSSD to get Groups.  It turns

                LDAP into another  Federated identity, much simpler than

                the LDAP code in Keystone (I am responsible for that

                mess).<br>

                <br>

                We are working on automating this via Ansible on top of

                a RHEL/Centos 7 install to demo in Tokyo.<br>

                <br>

                I am not certain if all the pieces are in place yet for

                Debian based install.  Specifically, it needs an updated

                sssd-dbus package.<br>

                <br>

                We also have mod_mellon and Ipsilon working, as Jamie

                demo'ed at Pycon AU.<br>

              </div>

            </blockquote>

            <div><br>

            </div>

            <div>Sounds great!</div>

            <div><br>

            </div>

            <div>Would you be prepared to put together some WIP reviews

              to add those to the Keystone role in openstack-ansible?

              Even if they're non-working sketches that we can work from

              and iterate on, that'd be great.</div>

          </div>

        </div>

      </div>

    </blockquote>

    <br>

    Our sample code is here:<br>

    <br>

    <a class="moz-txt-link-freetext" href="https://github.com/jamielennox/rippowam">https://github.com/jamielennox/rippowam</a><br>

    <br>

    <br>

    <br>

    I wrote up a README for what we are doing:<br>

    <br>

    <a class="moz-txt-link-freetext" href="https://github.com/admiyo/rippowam/blob/master/README.rst">https://github.com/admiyo/rippowam/blob/master/README.rst</a><br>

    <br>

    <br>

    The stuff you care about is here:<br>

    <br>

    Setting up SSSD<br>

<a class="moz-txt-link-freetext" href="https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/infopipe.yml">https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/infopipe.yml</a><br>

    <br>

    And

<a class="moz-txt-link-freetext" href="https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml">https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml</a><br>

    <br>

    <br>

    <blockquote

cite="mid:CAGSrQvyjtftUqKMkGAgAFHZ9qnFKy_Dkbf_ctnB=5wfHi+3MNA@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div class="gmail_extra">

          <div class="gmail_quote">

            <div><br>

            </div>

            <div>Note that we're looking at implementing some changes to

              broaden the platform support too. We're moving some of the

              pieces into place for the liberty [1] release and I'll be

              putting my thoughts down on multi-platform host enablement

              [2] soon. Also, considering that it'd be easier to

              comprehend, consume and iterate the ansible roles if they

              were independent consumable units I've also proposed

              [3][4] to break them out into their own repositories. It'd

              be great if you could provide your input.</div>

            <div><br>

            </div>

            <div>[1] <a moz-do-not-send="true"

                href="https://blueprints.launchpad.net/openstack-ansible/+spec/liberty">https://blueprints.launchpad.net/openstack-ansible/+spec/liberty</a><br>

            </div>

            <div>[2] <a moz-do-not-send="true"

href="https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host">https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host</a></div>

            <div>[3] <a moz-do-not-send="true"

href="https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories">https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories</a></div>

            <div>[4] <a moz-do-not-send="true"

                href="https://review.openstack.org/213779">https://review.openstack.org/213779</a></div>

            <div><br>

            </div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>