<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
RIght now I think the LDAP queries are limited to one level of the
Subtree, but actually it might be possible to loosen this up, and
thus get subtree queries.<br>
<br>
<br>
For example, if you look at the implementation of keystone/common/
ldap/core.py, you can see that most of the queries are like this:<br>
<br>
return conn.search_s(self.tree_dn, ldap.SCOPE_ONELEVEL, query)<br>
<br>
But I know of no reason that they should be limited to
ldap.SCOPE_ONELEVEL. At a minimum, we might be able to make this a
configuration value, but I suspect that expanding this to
SCOPE_SUBTREE. Would you be interested in testing that change out?<br>
<br>
<br>
<br>
On 05/22/2012 08:32 PM, Kuo Hugo wrote:
<blockquote
cite="mid:CA++_uhsPb+hNN=O763h4fJuY35HFuWUaYPwGZtE5tvmopAzFrA@mail.gmail.com"
type="cite">Thanks for your quick reply .
<div><br>
</div>
<div>I'll review the necessary of subtree query .</div>
<div><br>
</div>
<div>It's really depends on user's demand. I did some more
research of AD or LDAP structure design. </div>
<div><br>
</div>
<div>I found that if an enterprise has an existing AD server and
the structure as follow</div>
<div><br>
</div>
<div>dc=foo,dc=com</div>
<div> |__OU-HR</div>
<div> | |_cn:hr-user1</div>
<div> | |_cn:hr-user2</div>
<div> | |_cn:hr-user3</div>
<div> |</div>
<div> |__OU-IT</div>
<div> |_cn:it-user1</div>
<div> |_cn:it-user2</div>
<div> |_cn:it-user3</div>
<div><br>
</div>
<div>For such LDAP structure , only HR or IT users cound be
validated . </div>
<div><br>
</div>
<div>Is there any exist approach within LDAP to import users from
an OU to another OU like below's diagram</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>dc=foo,dc=com</div>
<div> |__OU-HR</div>
<div> | |_cn:hr-user1</div>
<div> | |_cn:hr-user2</div>
<div> | |_cn:hr-user3</div>
<div> |</div>
<div> |__OU-IT</div>
<div> | |_cn:it-user1</div>
<div> | |_cn:it-user2</div>
<div> | |_cn:it-user3</div>
</div>
<div> |</div>
<div>
<div> |</div>
<div> |__OU-Keystone-Users</div>
</div>
<div> |_cn:it-user1</div>
<div> |_cn:hr-user1</div>
<div><br>
</div>
<div>If so , I can specify user_tree_dn to ou=OU-Keystone-Users . </div>
<div>any suggestions ?</div>
<div><br>
</div>
<div>Cheers</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">2012/5/22 Adam Young <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:ayoung@redhat.com"
target="_blank">ayoung@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> On 05/22/2012 07:07 AM, Kuo Hugo wrote:
<blockquote type="cite">
<div>Hi Folks , </div>
<div><br>
</div>
<div>I have try with keystone backend by LDAP and
Windows AD. </div>
<div><br>
</div>
<div>It looks fine . Just want to clarify one
point. </div>
<div><br>
</div>
<div>For my test result , LDAP driver could only
validate users in the particular container (OU,CN
etc.) and does not include the subtree users.</div>
<div><br>
</div>
<div>[ldap]</div>
<div>
<div>tree_dn = dc=taiwan,dc=com</div>
<div>user_tree_dn = ou=foo,dc=taiwan,dc=com</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>For example ....</div>
<div> User1 :
cn=jeremy,ou=foo,dc=taiwan,dc=com</div>
<div><br>
</div>
<div> User2 :
cn=jordan,ou=bar,ou=foo,dc=taiwan,dc=com</div>
<div> </div>
<div>User1 could be validated , and get the token
generated by keystone.</div>
<div>User2 could not be validated </div>
<div><br>
</div>
<div><br>
</div>
<div>Is there any way to validate both User1 and
User2 in current design ?</div>
</blockquote>
<br>
</div>
</div>
No, there is not. Queries are not done against subtrees.
<br>
<br>
If this is important to you, please file a ticket:<br>
<a moz-do-not-send="true"
href="https://bugs.launchpad.net/keystone/+filebug"
target="_blank">https://bugs.launchpad.net/keystone/+filebug</a><br>
<br>
<br>
<br>
<blockquote type="cite">
<div class="im">
<div><br>
</div>
<div><br>
</div>
-- <br>
<div>+Hugo Kuo+</div>
<div><a moz-do-not-send="true"
href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br>
</a></div>
<div><a moz-do-not-send="true"
href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886
935004793</div>
<br>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Mailing list: <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a moz-do-not-send="true" href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>+Hugo Kuo+</div>
<div><a moz-do-not-send="true" href="mailto:tonytkdk@gmail.com"
target="_blank">tonytkdk@gmail.com<br>
</a></div>
<div><a moz-do-not-send="true" href="mailto:tonytkdk@gmail.com"
target="_blank">+</a>886 935004793</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>