[openstack-dev] [Keystone] Trusts (Preauth) and LDAP

Adam Young ayoung at redhat.com
Wed Nov 28 15:45:56 UTC 2012


I have a very rudimentary Trust  (what I used to call Preauth 
https://blueprints.launchpad.net/keystone/+spec/trusts) implementation 
working with the SQL backend for Identity.

With LDAP, I am not sure where I would store the trust information. The 
data for the trust itself is simply the uuid user_ids for the trustor 
and  trustee and tenant Id.  There is also a table for the roles, and a 
second table for the endpoints associated with the trust.While we could 
shoehorn this into the user object, I am not sure that there is an 
intuitive way to implement it in LDAP.

I see three choices.

1.  Leave the Trusts in the identity schema.  This has the nice effect 
of keeping the user-ids as foreign keys.  It has the drawback of forcing 
an LDAP backend solution.
2.  Move the Trusts into the Token backend.  This will get avoid the 
issue of LDAP support.  It does mean that tokens, which is a schema that 
is high volume, read intensive, and populated by short lifespan 
entities, gets mixed with trusts, which is low volume, and long lived.
3. Move it into its own backend.  This seems a little heavy weight.


Thoughts?



More information about the OpenStack-dev mailing list