<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose"><span style='color:#1F497D'>Our Active Directory is indeed read only.<o:p></o:p></span></a></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>What I am trying to do is use existing AD security groups which are used to define the different groups in our organisation to assign users to projects. The projects would created against the sql domain. I know that I could do this on a user by user basis but that would increase the administrative overhead. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>When you say that assignments are deprecated, I assume that you mean assignments and projects both being against the LDAP domain?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:EN-GB'>Thanks<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:EN-GB'>Alexander<o:p></o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='color:windowtext;mso-fareast-language:EN-GB'>From:</span></b><span lang=EN-US style='color:windowtext;mso-fareast-language:EN-GB'> Adam Young [mailto:ayoung@redhat.com] <br><b>Sent:</b> 01 March 2016 19:51<br><b>To:</b> openstack@lists.openstack.org<br><b>Subject:</b> Re: [Openstack] Keystone With Active Directory<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 02/29/2016 10:07 AM, <a href="mailto:alexander.dibbo@stfc.ac.uk">alexander.dibbo@stfc.ac.uk</a> wrote:<span style='font-size:12.0pt;mso-fareast-language:EN-GB'><o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I am in the process of setting up a Liberty deployment, with multi-domain keystone connected to Active Directory.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I am just wondering if anybody is using Security Groups in Active Directory to map roles to projects? <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>If so how are you doing this?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-GB'>Regards</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-GB'> </span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-GB'>Alexander Dibbo</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-GB'><br><br><br><o:p></o:p></span></p><pre>_______________________________________________<o:p></o:p></pre><pre>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre><pre>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><o:p></o:p></pre><pre>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-GB'><br>Keystone support for Assignment from LDAP is deprecated. AD tends to be read only from an Openstack deployment. Do you have writable AD available?<o:p></o:p></span></p></div></body></html>