<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/01/2014 06:17 PM, Lillie
Ross-CDSR11 wrote:<br>
</div>
<blockquote
cite="mid:6AFA470F-9A9B-4DEE-B446-B11BF192887F@motorolasolutions.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
I’ve been playing with using LDAP authentication (identity) and
SQL authorization (assignment) within Keystone in the current
devstack release running in a single VM.
<div><br>
</div>
<div>The problem with this setup, as I understand it, is the need
to have LDAP entries for each service user (i.e. nova, glance,
etc.). In our environment, this isn’t possible as our corporate
LDAP directory is solely for employee records. While I could
work around this issue by running each service under a known
LDAP employee record - this seems rather a kludge to me.</div>
<div><br>
</div>
<div>My question is, and admittedly I’m not well versed in
directory federation, is this an issue that could be resolved
once directory federation is stable in the next Openstack
release? Where, for instance, all of the openstack service
accounts could remain in a separate directory service controlled
solely by the cloud owner/admin, while user’s could then be
authenticated via the corporate employee LDAP database?</div>
<div><br>
</div>
<div>We’d love to use LDAP to authenticate cloud user’s, but with
the need to also authenticate openstack services against the
same LDAP backend makes the use of LDAP unviable in our
environment.</div>
</blockquote>
We have no solution for that under Icehouse. This topic is one of
the high priorities for the Keytone team at the Icehouse summit.<br>
<br>
<br>
<blockquote
cite="mid:6AFA470F-9A9B-4DEE-B446-B11BF192887F@motorolasolutions.com"
type="cite">
<div><br>
</div>
<div>This has probably been discussed previously, but any insight
would be helpful. </div>
<div><br>
</div>
<div>Thanks and regards,</div>
<div>Ross</div>
<div><span style="orphans: 2; text-align: -webkit-auto; widows:
2;">--</span></div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; text-align: -webkit-auto; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; orphans: 2; widows: 2;
word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div>Ross Lillie</div>
<div>Distinguished Member of Technical Staff</div>
<div>Motorola Solutions, Inc.</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://motorolasolutions.com">motorolasolutions.com</a></div>
</div>
<span style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px; float:
none; display: inline !important;">O: +1.847.576.0012</span>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
M: +1.847.980.2241</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
E: <a moz-do-not-send="true"
href="mailto:ross.lillie@motorolasolutions.com">ross.lillie@motorolasolutions.com</a></div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<br>
</div>
<div class="page" title="Page 1" style="color: rgb(0, 0, 0);
font-family: Helvetica; font-size: 12px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width:
0px;">
<br class="Apple-interchange-newline">
<span><img apple-inline="yes"
id="75293143-DF46-4865-B00D-69EF41222A69"
apple-width="yes" apple-height="yes"
src="cid:part3.02050900.03010902@redhat.com" height="33"
width="277"></span>
</div>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>