Hi Adam,<div>Can the keystone use MS AD Server as back end now?<br><br><div class="gmail_quote">2012/9/25 Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div class="im">
<div>On 09/24/2012 10:45 PM, 邱剑 wrote:<br>
</div>
<blockquote type="cite"><br>
<div>
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px">
<div style="word-wrap:break-word">Thanks. Adam.</div>
<div style="word-wrap:break-word"><br>
</div>
<div style="word-wrap:break-word">Is there any way
to configure FreeIPA LDAP to have this structure?</div>
</span></span></div>
</blockquote>
<br></div>
Yes there is.<br>
<br>
I originally wrote it up here:<br>
<br>
<a href="http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/" target="_blank">http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/</a><br>
<br>
and checked it recently to see if I could do LDAPS (yes I could):<br>
<br>
<a href="http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/" target="_blank">http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/</a><div><div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px">
<div style="word-wrap:break-word"><br>
</div>
<div style="word-wrap:break-word">Many thanks.</div>
</span></span>
</div>
<br>
<div>
<div>On Sep 24, 2012, at 11:10 PM, Adam Young wrote:</div>
<br>
<blockquote type="cite">
<div text="#000000" bgcolor="#FFFFFF">
<div>Role is grouped in the
collection under the Tenant, with the userid in the
members attribute for that role.<br>
<br>
<br>
<br>
On 09/24/2012 03:18 AM, 邱剑 wrote:<br>
</div>
<blockquote type="cite">
<div><br>
</div>
<div>Openstack services need user account with 'admin'
role. But I could not figure out how FreeIPA propagate
'role' into Keystone.</div>
<div><br>
</div>
<div>That's why I'm asking the question in mailing list.</div>
<div><br>
</div>
<div>
<div><span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium">
<div style="word-wrap:break-word"><br>
</div>
</span></span></div>
<div>
<div>On Sep 24, 2012, at 11:30 AM, spring wrote:</div>
<br>
<blockquote type="cite">Thanks qiujian!
<div>By using this configuration, can we log in
through dashboard? If I want to implement that, is
there any other configuration I have to do?<br>
<div><br>
<div class="gmail_quote">2012/9/24 邱剑 <span dir="ltr"><<a href="mailto:qiujian@meituan.com" target="_blank">qiujian@meituan.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">BTW, here
is my configuration:
<div><br>
</div>
<div>
<div>[ldap]</div>
<div>url = <a>ldap://10.64.11.199</a></div>
<div>tree_dn =
cn=accounts,dc=mydomain,dc=com</div>
<div>user_tree_dn =
cn=users,cn=accounts,dc=mydomain,dc=com</div>
<div>user_objectclass = person</div>
<div>user_name_attribute = uid</div>
<div>user_id_attribute = uid</div>
<div>tenant_tree_dn =
cn=groups,cn=accounts,dc=mydomain,dc=com</div>
<div>tenant_objectclass = posixgroup</div>
<div>tenant_id_attribute = cn</div>
<div>tenant_name_attribute = cn</div>
<div>tenant_member_attribute = member</div>
<div>role_tree_dn =
cn=groups,cn=accounts,dc=mydomain,dc=com</div>
<div>role_objectclass = posixgroup</div>
<div>role_id_attribute = cn</div>
<div>role_name_attribute = cn</div>
<div>role_member_attribute = member</div>
<div> user =
uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com</div>
<div>password = mysudopassword</div>
<div>suffix = cn=mydomain,cn=com</div>
<div><br>
</div>
<div><br>
</div>
<div>[identity]</div>
<div>driver =
keystone.identity.backends.ldap.Identity</div>
</div>
<div><br>
</div>
<div>It seems that keystone LDAP requires
role nodes the children of tenant nodes.
But FreeIPA has a flat structure.</div>
<div><br>
<div>
<div style="word-wrap:break-word">--</div>
<div style="word-wrap:break-word">邱剑<br>
美团网技术部系统运维组 - 系统工程师<br>
手机:1381129925<br>
邮件:<a href="mailto:qiujian@meituan.com" target="_blank">qiujian@meituan.com</a></div>
</div>
<br>
<div>
<div>
<div>
<div>On Sep 22, 2012, at 12:27 PM,
邱剑 wrote:</div>
<br>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div style="word-wrap:break-word">Hi,
<div><br>
<div>I was working on using
LDAP of FreeIP as backend
of Keystone.</div>
<div><br>
</div>
<div>User and tenants
information can be fetched
from LDAP. However, I
could not figure out how
to assign roles to users
in specific tenants. I'm
wondering whether someone
can help?</div>
<div><br>
</div>
<div>I noticed that Mr. Adam
Young had post a blog
about this topic:</div>
<div><br>
</div>
<div><a href="http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/" target="_blank">http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/</a></div>
<div><br>
</div>
<div>However, it did not
show how to import roles
in LDAP. I'm wondering
whether there is any
progress about this?</div>
<div><br>
</div>
<div>
<div>Many thanks.</div>
</div>
<div><br>
</div>
<div>
<div>
<div>keystone in use was
the latest master
branch on github on
Sep 21, 2012.</div>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>Jian Qiu</div>
</div>
</div>
</div>
</div>
<div>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Huang Shuquan (黄舒泉)<br>
Software Institute of Nanjing University
Nanjing, P.R.China<br>
Mobile: 86 137 7086 4433<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote>
</div>
<br>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Huang Shuquan (黄舒泉)<br>Software Institute of Nanjing University Nanjing, P.R.China<br>Mobile: 86 137 7086 4433<br><br>
</div>