Hi Michel, If you’re considering making a leap, it may be worth exploring federation with Keycloak, we’ve been doing this and it’s working really nicely and opens up all sorts of options (LDAP, switch to Azure AD/Okta, etc) without much complications. We’ve also enabled user-sync through https://github.com/vexxhost/keystone-keycloak-backend which will make all groups and users automatically appear inside Keystone instantly (as opposed to after one sign on), and then combining that with https://github.com/vexxhost/keystoneauth-websso which allows users to login using the CLI with their browser. This also helps enforce any MFA or anything like that across all OpenStack access. I understsand this isn’t the ask here, but just want to put it on your eyes in case you’re going through this big change anyways. Good luck! Mohammed From: Michel Jouvin <michel.jouvin@ijclab.in2p3.fr> Date: Thursday, January 25, 2024 at 3:56 AM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: Keystone LDAP backend: need to change user_id_attribute from CN to SAMAccountName [You don't often get email from michel.jouvin@ijclab.in2p3.fr. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Any thought on this? Thanks in advance. Michel Le 24/01/2024 à 10:29, Michel Jouvin a écrit :
Hi,
For historical (and bad) resons, we decided 10 years ago when we created our cloud that the Keystone LDAP backend will use the CN as the user_id_attribute rather than the usual SAMAccountName. Since then it has been a source of various problems with CN changes, accented characters in CN... We'd like to change it to SAMAccountName but there is clearly no easy/supported way of doing it and we are looking for some information on the best way to do it and the risks if somebody has some clues... It should impact ~30 users so not a huge number...
What we have in mind is basically:
- Change the backend attribute - Import new accounts - Assign the new accounts to the same projects as the ol accounts, with the same role
One of the foreseen problemsis that old and new accounts will share the same user_name_attribute, based on SAMAccountName. It is not allowed by openstack if I'm right so for the scenario to work we need to change the user_name_attribute of old accounts to something different (we don't care that the user cannot use the account during the transition peroid as long as it doesn't impact active resources). Is it enough to update it in the database? We'd prefer to keep the old accounts in OpenStack until the end of the transition...
Another minor issue is the reassignment of keypairs to the new account. It is poosble to ask the user to reload its public keys but we were wondering it there was a not too risky way of doing it for him/her by updating the DB (I guess there is no API for this).
Thanks in advance if you have any thought/information to share. Best regards.
Michel