<div dir="ltr"><div>Jasper<br></div><div>Are you alluding to the hybrid drivers as discussed & avail via <a href="http://www.mattfischer.com/blog/?tag=openstack-2">http://www.mattfischer.com/blog/?tag=openstack-2</a><br>
</div><br><div class="gmail_extra">~Mike.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 <span dir="ltr"><<a href="mailto:Ross.Lillie@motorolasolutions.com" target="_blank">Ross.Lillie@motorolasolutions.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word">
I’ve been playing with using LDAP authentication (identity) and SQL authorization (assignment) within Keystone in the current devstack release running in a single VM.
<div><br>
</div>
<div>The problem with this setup, as I understand it, is the need to have LDAP entries for each service user (i.e. nova, glance, etc.).  In our environment, this isn’t possible as our corporate LDAP directory is solely for employee records.  While I could work
 around this issue by running each service under a known LDAP employee record - this seems rather a kludge to me.</div>
<div><br>
</div>
<div>My question is, and admittedly I’m not well versed in directory federation, is this an issue that could be resolved once directory federation is stable in the next Openstack release? Where, for instance, all of the openstack service accounts could remain
 in a separate directory service controlled solely by the cloud owner/admin, while user’s could then be authenticated via the corporate employee LDAP database?</div>
<div><br>
</div>
<div>We’d love to use LDAP to authenticate cloud user’s, but with the need to also authenticate openstack services against the same LDAP backend makes the use of LDAP unviable in our environment.</div>
<div><br>
</div>
<div>This has probably been discussed previously, but any insight would be helpful.  </div>
<div><br>
</div>
<div>Thanks and regards,</div>
<div>Ross</div>
<div><span style="text-align:-webkit-auto">--</span></div>
<div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">

<div>Ross Lillie</div>
<div>Distinguished Member of Technical Staff</div>
<div>Motorola Solutions, Inc.</div>
<div><br>
</div>
<div><a href="http://motorolasolutions.com" target="_blank">motorolasolutions.com</a></div>
</div>
<span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">O:
 <a href="tel:%2B1.847.576.0012" value="+18475760012" target="_blank">+1.847.576.0012</a></span>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

M: <a href="tel:%2B1.847.980.2241" value="+18479802241" target="_blank">+1.847.980.2241</a></div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

E: <a href="mailto:ross.lillie@motorolasolutions.com" target="_blank">ross.lillie@motorolasolutions.com</a></div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<br>
</div>
<div title="Page 1" style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">

<br>
<span><img src="cid:75FF7557-F6FD-4406-A0BB-5CBD9BE3780A@comm.mot.com" height="33" width="277"></span>
</div>
</div>
<br>
</div>

<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div></div>