[Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

Adam Young ayoung at redhat.com
Tue Sep 25 15:01:40 UTC 2012 

On 09/24/2012 10:45 PM, 邱剑 wrote:
>
> Thanks. Adam.
>
> Is there any way to configure FreeIPA LDAP to have this structure?

Yes there is.

I originally wrote it up here:

http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/

and checked it recently to see if I could do LDAPS (yes I could):

http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/


>
> Many thanks.
>
> On Sep 24, 2012, at 11:10 PM, Adam Young wrote:
>
>> Role is grouped in the collection under the Tenant, with the userid 
>> in the members attribute for that role.
>>
>>
>>
>> On 09/24/2012 03:18 AM, 邱剑 wrote:
>>>
>>> Openstack services need user account with 'admin' role. But I could 
>>> not figure out how FreeIPA propagate 'role' into Keystone.
>>>
>>> That's why I'm asking the question in mailing list.
>>>
>>>
>>> On Sep 24, 2012, at 11:30 AM, spring wrote:
>>>
>>>> Thanks qiujian!
>>>> By using this configuration, can we log in through dashboard? If I 
>>>> want to implement that, is there any other configuration I have to do?
>>>>
>>>> 2012/9/24 邱剑 <qiujian at meituan.com <mailto:qiujian at meituan.com>>
>>>>
>>>>     BTW, here is my configuration:
>>>>
>>>>     [ldap]
>>>>     url = ldap://10.64.11.199
>>>>     tree_dn = cn=accounts,dc=mydomain,dc=com
>>>>     user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
>>>>     user_objectclass = person
>>>>     user_name_attribute = uid
>>>>     user_id_attribute = uid
>>>>     tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>>>>     tenant_objectclass = posixgroup
>>>>     tenant_id_attribute = cn
>>>>     tenant_name_attribute = cn
>>>>     tenant_member_attribute = member
>>>>     role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>>>>     role_objectclass = posixgroup
>>>>     role_id_attribute = cn
>>>>     role_name_attribute = cn
>>>>     role_member_attribute = member
>>>>     user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
>>>>     password = mysudopassword
>>>>     suffix = cn=mydomain,cn=com
>>>>
>>>>
>>>>     [identity]
>>>>     driver = keystone.identity.backends.ldap.Identity
>>>>
>>>>     It seems that keystone LDAP requires role nodes the children of
>>>>     tenant nodes. But FreeIPA has a flat structure.
>>>>
>>>>     --
>>>>     邱剑
>>>>     美团网技术部系统运维组 - 系统工程师
>>>>     手机:1381129925
>>>>     邮件:qiujian at meituan.com <mailto:qiujian at meituan.com>
>>>>
>>>>     On Sep 22, 2012, at 12:27 PM, 邱剑 wrote:
>>>>
>>>>>     Hi,
>>>>>
>>>>>     I was working on using LDAP of FreeIP as backend of Keystone.
>>>>>
>>>>>     User and tenants information can be fetched from LDAP.
>>>>>     However, I could not figure out how to assign roles to users
>>>>>     in specific tenants. I'm wondering whether someone can help?
>>>>>
>>>>>     I noticed that Mr. Adam Young had post a blog about this topic:
>>>>>
>>>>>     http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
>>>>>
>>>>>     However, it did not show how to import roles in LDAP. I'm
>>>>>     wondering whether there is any progress about this?
>>>>>
>>>>>     Many thanks.
>>>>>
>>>>>     keystone in use was the latest master branch on github on Sep
>>>>>     21, 2012.
>>>>>
>>>>>
>>>>>     Jian Qiu
>>>>>     _______________________________________________
>>>>>     Mailing list: https://launchpad.net/~openstack
>>>>>     <https://launchpad.net/%7Eopenstack>
>>>>>     Post to     : openstack at lists.launchpad.net
>>>>>     <mailto:openstack at lists.launchpad.net>
>>>>>     Unsubscribe : https://launchpad.net/~openstack
>>>>>     <https://launchpad.net/%7Eopenstack>
>>>>>     More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Mailing list: https://launchpad.net/~openstack
>>>>     <https://launchpad.net/%7Eopenstack>
>>>>     Post to     : openstack at lists.launchpad.net
>>>>     <mailto:openstack at lists.launchpad.net>
>>>>     Unsubscribe : https://launchpad.net/~openstack
>>>>     <https://launchpad.net/%7Eopenstack>
>>>>     More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> Huang Shuquan (黄舒泉)
>>>> Software Institute of Nanjing University Nanjing, P.R.China
>>>> Mobile: 86 137 7086 4433
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list:https://launchpad.net/~openstack
>>> Post to     :openstack at lists.launchpad.net
>>> Unsubscribe :https://launchpad.net/~openstack
>>> More help   :https://help.launchpad.net/ListHelp
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack 
>> <https://launchpad.net/%7Eopenstack>
>> Post to     : openstack at lists.launchpad.net 
>> <mailto:openstack at lists.launchpad.net>
>> Unsubscribe : https://launchpad.net/~openstack 
>> <https://launchpad.net/%7Eopenstack>
>> More help   : https://help.launchpad.net/ListHelp
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120925/5287d7a0/attachment.html>

More information about the Openstack mailing list