Thanks for your quick reply . <div><br></div><div>I'll review the necessary of subtree query .</div><div><br></div><div>It's really depends on user's demand. I did some more research of AD or LDAP structure design. </div>
<div><br></div><div>I found that if an enterprise has an existing AD server and the structure as follow</div><div><br></div><div>dc=foo,dc=com</div><div> |__OU-HR</div><div> | |_cn:hr-user1</div><div> | |_cn:hr-user2</div>
<div> | |_cn:hr-user3</div><div> |</div><div> |__OU-IT</div><div> |_cn:it-user1</div><div> |_cn:it-user2</div><div> |_cn:it-user3</div><div><br></div><div>For such LDAP structure , only HR or IT users cound be validated . </div>
<div><br></div><div>Is there any exist approach within LDAP to import users from an OU to another OU like below's diagram</div><div><br></div><div><br></div><div><div>dc=foo,dc=com</div><div> |__OU-HR</div><div> | |_cn:hr-user1</div>
<div> | |_cn:hr-user2</div><div> | |_cn:hr-user3</div><div> |</div><div> |__OU-IT</div><div> | |_cn:it-user1</div><div> | |_cn:it-user2</div><div> | |_cn:it-user3</div>
</div><div> |</div><div><div> |</div><div> |__OU-Keystone-Users</div></div><div> |_cn:it-user1</div><div> |_cn:hr-user1</div><div><br></div><div>If so , I can specify user_tree_dn to ou=OU-Keystone-Users . </div>
<div>any suggestions ?</div><div><br></div><div>Cheers</div><div><br></div><div><br><div class="gmail_quote">2012/5/22 Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
On 05/22/2012 07:07 AM, Kuo Hugo wrote:
<blockquote type="cite">
<div>Hi Folks , </div>
<div><br>
</div>
<div>I have try with keystone backend by LDAP and Windows AD. </div>
<div><br>
</div>
<div>It looks fine . Just want to clarify one point. </div>
<div><br>
</div>
<div>For my test result , LDAP driver could only validate users in
the particular container (OU,CN etc.) and does not include the
subtree users.</div>
<div><br>
</div>
<div>[ldap]</div>
<div>
<div>tree_dn = dc=taiwan,dc=com</div>
<div>user_tree_dn = ou=foo,dc=taiwan,dc=com</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>For example ....</div>
<div> User1 : cn=jeremy,ou=foo,dc=taiwan,dc=com</div>
<div><br>
</div>
<div> User2 :
cn=jordan,ou=bar,ou=foo,dc=taiwan,dc=com</div>
<div> </div>
<div>User1 could be validated , and get the token generated by
keystone.</div>
<div>User2 could not be validated </div>
<div><br>
</div>
<div><br>
</div>
<div>Is there any way to validate both User1 and User2 in current
design ?</div>
</blockquote>
<br></div></div>
No, there is not. Queries are not done against subtrees. <br>
<br>
If this is important to you, please file a ticket:<br>
<a href="https://bugs.launchpad.net/keystone/+filebug" target="_blank">https://bugs.launchpad.net/keystone/+filebug</a><br>
<br>
<br>
<br>
<blockquote type="cite"><div class="im">
<div><br>
</div>
<div><br>
</div>
-- <br>
<div>+Hugo Kuo+</div>
<div><a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br>
</a></div>
<div><a href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886 935004793</div>
<br>
<br>
<fieldset></fieldset>
<br>
</div><pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>+Hugo Kuo+</div><div><a href="mailto:tonytkdk@gmail.com" target="_blank">tonytkdk@gmail.com<br></a></div><div><a href="mailto:tonytkdk@gmail.com" target="_blank">+</a>886 935004793</div>
<br>
</div>