[openstack-dev] [Keystone] LDAP support for groups
Adam Young
ayoung at redhat.com
Fri Dec 14 18:04:25 UTC 2012
We are close to getting Groups done in the SQL back end, but we still
need a schema for LDAP, and it is not super apparent how to close the
gap on it.
The schema for role assignment is:
1.
#
2.
olcObjectClasses: ( 2.5.6.8 NAME 'organizationalRole'
3.
DESC 'RFC2256: an organizational role'
4.
SUP top STRUCTURAL
5.
MUST cn
6.
MAY ( x121Address $ registeredAddress $ destinationIndicator $
7.
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
8.
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
9.
seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
10.
postOfficeBox $ postalCode $ postalAddress $
11.
physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
And the users are in the roleOccupant field.
We want to be able to make the roleOccupant included members of groups.
But I am not sure that having both in a single field is advisable. I
would rather have a deliberate fields for group members. This was what
we did in FreeIPA, and I think it is the right approach.
We could extend roleOccupant with an other object class, but there is no
obvious class to use.
We could replace roleOccupant with a different object class. While that
would make a painful transition, it might be preferable. But again,
there is no obvious replacement.
We could make groups a collection underneath organizationalRoles
Feedback is welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121214/246009fa/attachment.html>
More information about the OpenStack-dev
mailing list