<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Thanks. Adam.<div><br></div><div>I saw in your blog "<span style="color: rgb(55, 55, 55); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 24px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); display: inline !important; float: none; ">Keystone Roles are not yet implemented.</span>"</div><div><br></div><div>In order to make OpenStack work, it seems I have to assign "admin" role to some users</div><div><br></div><div><br></div><div><div><div>On Sep 25, 2012, at 11:01 PM, Adam Young wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 09/24/2012 10:45 PM, 邱剑 wrote:<br>
</div>
<blockquote cite="mid:698EFE44-E06E-4B89-B8A6-9E62948C8B8D@meituan.com" type="cite"><br>
<div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">Thanks. Adam.</div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; "><br>
</div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">Is there any way
to configure FreeIPA LDAP to have this structure?</div>
</span></span></div>
</blockquote>
<br>
Yes there is.<br>
<br>
I originally wrote it up here:<br>
<br>
<a class="moz-txt-link-freetext" href="http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/">http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/</a><br>
<br>
and checked it recently to see if I could do LDAPS (yes I could):<br>
<br>
<a class="moz-txt-link-freetext" href="http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/">http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/</a><br>
<br>
<br>
<blockquote cite="mid:698EFE44-E06E-4B89-B8A6-9E62948C8B8D@meituan.com" type="cite">
<div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; "><br>
</div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">Many thanks.</div>
</span></span>
</div>
<br>
<div>
<div>On Sep 24, 2012, at 11:10 PM, Adam Young wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Role is grouped in the
collection under the Tenant, with the userid in the
members attribute for that role.<br>
<br>
<br>
<br>
On 09/24/2012 03:18 AM, 邱剑 wrote:<br>
</div>
<blockquote cite="mid:C32462BC-6237-4C84-9F44-E96F0F7C6A3D@meituan.com" type="cite">
<div><br>
</div>
<div>Openstack services need user account with 'admin'
role. But I could not figure out how FreeIPA propagate
'role' into Keystone.</div>
<div><br>
</div>
<div>That's why I'm asking the question in mailing list.</div>
<div><br>
</div>
<div>
<div><span class="Apple-style-span" style="border-collapse: separate; font-family:
Helvetica; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-align:
-webkit-auto; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing:
0px; -webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse:
separate; font-family: Helvetica; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent:
0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; font-size: medium;
">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space; "><br>
</div>
</span></span></div>
<div>
<div>On Sep 24, 2012, at 11:30 AM, spring wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">Thanks qiujian!
<div>By using this configuration, can we log in
through dashboard? If I want to implement that, is
there any other configuration I have to do?<br>
<div><br>
<div class="gmail_quote">2012/9/24 邱剑 <span dir="ltr"><<a moz-do-not-send="true" href="mailto:qiujian@meituan.com" target="_blank">qiujian@meituan.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">BTW, here
is my configuration:
<div><br>
</div>
<div>
<div>[ldap]</div>
<div>url = <a moz-do-not-send="true">ldap://10.64.11.199</a></div>
<div>tree_dn =
cn=accounts,dc=mydomain,dc=com</div>
<div>user_tree_dn =
cn=users,cn=accounts,dc=mydomain,dc=com</div>
<div>user_objectclass = person</div>
<div>user_name_attribute = uid</div>
<div>user_id_attribute = uid</div>
<div>tenant_tree_dn =
cn=groups,cn=accounts,dc=mydomain,dc=com</div>
<div>tenant_objectclass = posixgroup</div>
<div>tenant_id_attribute = cn</div>
<div>tenant_name_attribute = cn</div>
<div>tenant_member_attribute = member</div>
<div>role_tree_dn =
cn=groups,cn=accounts,dc=mydomain,dc=com</div>
<div>role_objectclass = posixgroup</div>
<div>role_id_attribute = cn</div>
<div>role_name_attribute = cn</div>
<div>role_member_attribute = member</div>
<div> user =
uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com</div>
<div>password = mysudopassword</div>
<div>suffix = cn=mydomain,cn=com</div>
<div><br>
</div>
<div><br>
</div>
<div>[identity]</div>
<div>driver =
keystone.identity.backends.ldap.Identity</div>
</div>
<div><br>
</div>
<div>It seems that keystone LDAP requires
role nodes the children of tenant nodes.
But FreeIPA has a flat structure.</div>
<div><br>
<div>
<div style="word-wrap:break-word">--</div>
<div style="word-wrap:break-word">邱剑<br>
美团网技术部系统运维组 - 系统工程师<br>
手机:1381129925<br>
邮件:<a moz-do-not-send="true" href="mailto:qiujian@meituan.com" target="_blank">qiujian@meituan.com</a></div>
</div>
<br>
<div>
<div>
<div class="h5">
<div>On Sep 22, 2012, at 12:27 PM,
邱剑 wrote:</div>
<br>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div style="word-wrap:break-word">Hi,
<div><br>
<div>I was working on using
LDAP of FreeIP as backend
of Keystone.</div>
<div><br>
</div>
<div>User and tenants
information can be fetched
from LDAP. However, I
could not figure out how
to assign roles to users
in specific tenants. I'm
wondering whether someone
can help?</div>
<div><br>
</div>
<div>I noticed that Mr. Adam
Young had post a blog
about this topic:</div>
<div><br>
</div>
<div><a moz-do-not-send="true" href="http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/" target="_blank">http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/</a></div>
<div><br>
</div>
<div>However, it did not
show how to import roles
in LDAP. I'm wondering
whether there is any
progress about this?</div>
<div><br>
</div>
<div>
<div>Many thanks.</div>
</div>
<div><br>
</div>
<div>
<div>
<div>keystone in use was
the latest master
branch on github on
Sep 21, 2012.</div>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>Jian Qiu</div>
</div>
</div>
</div>
</div>
<div class="im">_______________________________________________<br>
Mailing list: <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true" href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true" href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Huang Shuquan (黄舒泉)<br>
Software Institute of Nanjing University
Nanjing, P.R.China<br>
Mobile: 86 137 7086 4433<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://launchpad.net/%7Eopenstack">https://launchpad.net/~openstack</a>
Post to : <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://launchpad.net/%7Eopenstack">https://launchpad.net/~openstack</a>
More help : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a><br>
</blockquote>
</div>
<br>
</blockquote>
<br>
</div>
</blockquote></div><br></div></body></html>