<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Role is grouped in the collection under
the Tenant, with the userid in the members attribute for that
role.<br>
<br>
<br>
<br>
On 09/24/2012 03:18 AM, 邱剑 wrote:<br>
</div>
<blockquote
cite="mid:C32462BC-6237-4C84-9F44-E96F0F7C6A3D@meituan.com"
type="cite">
<div><br>
</div>
<div>Openstack services need user account with 'admin' role. But I
could not figure out how FreeIPA propagate 'role' into Keystone.</div>
<div><br>
</div>
<div>That's why I'm asking the question in mailing list.</div>
<div><br>
</div>
<div>
<div><span class="Apple-style-span" style="border-collapse:
separate; color: rgb(0, 0, 0); font-family: Helvetica;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; "><span class="Apple-style-span"
style="border-collapse: separate; color: rgb(0, 0, 0);
font-family: Helvetica; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-align: -webkit-auto;
text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space; "><br>
</div>
</span></span></div>
<div>
<div>On Sep 24, 2012, at 11:30 AM, spring wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">Thanks qiujian!
<div>By using this configuration, can we log in through
dashboard? If I want to implement that, is there any other
configuration I have to do?<br>
<div><br>
<div class="gmail_quote">2012/9/24 邱剑 <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:qiujian@meituan.com" target="_blank">qiujian@meituan.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">BTW, here is my
configuration:
<div><br>
</div>
<div>
<div>[ldap]</div>
<div>url = <a moz-do-not-send="true">ldap://10.64.11.199</a></div>
<div>tree_dn = cn=accounts,dc=mydomain,dc=com</div>
<div>user_tree_dn =
cn=users,cn=accounts,dc=mydomain,dc=com</div>
<div>user_objectclass = person</div>
<div>user_name_attribute = uid</div>
<div>user_id_attribute = uid</div>
<div>tenant_tree_dn =
cn=groups,cn=accounts,dc=mydomain,dc=com</div>
<div>tenant_objectclass = posixgroup</div>
<div>tenant_id_attribute = cn</div>
<div>tenant_name_attribute = cn</div>
<div>tenant_member_attribute = member</div>
<div>role_tree_dn =
cn=groups,cn=accounts,dc=mydomain,dc=com</div>
<div>role_objectclass = posixgroup</div>
<div>role_id_attribute = cn</div>
<div>role_name_attribute = cn</div>
<div>role_member_attribute = member</div>
<div>
user =
uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com</div>
<div>password = mysudopassword</div>
<div>suffix = cn=mydomain,cn=com</div>
<div><br>
</div>
<div><br>
</div>
<div>[identity]</div>
<div>driver =
keystone.identity.backends.ldap.Identity</div>
</div>
<div><br>
</div>
<div>It seems that keystone LDAP requires role
nodes the children of tenant nodes. But FreeIPA
has a flat structure.</div>
<div><br>
<div>
<div style="word-wrap:break-word">--</div>
<div style="word-wrap:break-word">邱剑<br>
美团网技术部系统运维组 - 系统工程师<br>
手机:1381129925<br>
邮件:<a moz-do-not-send="true"
href="mailto:qiujian@meituan.com"
target="_blank">qiujian@meituan.com</a></div>
</div>
<br>
<div>
<div>
<div class="h5">
<div>On Sep 22, 2012, at 12:27 PM, 邱剑
wrote:</div>
<br>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div style="word-wrap:break-word">Hi,
<div><br>
<div>I was working on using LDAP of
FreeIP as backend of Keystone.</div>
<div><br>
</div>
<div>User and tenants information
can be fetched from LDAP. However,
I could not figure out how to
assign roles to users in specific
tenants. I'm wondering whether
someone can help?</div>
<div><br>
</div>
<div>I noticed that Mr. Adam Young
had post a blog about this topic:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/"
target="_blank">http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/</a></div>
<div><br>
</div>
<div>However, it did not show how to
import roles in LDAP. I'm
wondering whether there is any
progress about this?</div>
<div><br>
</div>
<div>
<div>Many thanks.</div>
</div>
<div><br>
</div>
<div>
<div>
<div>keystone in use was the
latest master branch on github
on Sep 21, 2012.</div>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>Jian Qiu</div>
</div>
</div>
</div>
</div>
<div class="im">_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net"
target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp"
target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp"
target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Huang Shuquan (黄舒泉)<br>
Software Institute of Nanjing University Nanjing,
P.R.China<br>
Mobile: 86 137 7086 4433<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
More help : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</body>
</html>