[openstack-dev] Keystone AD integration
Adam Young
ayoung at redhat.com
Thu Sep 13 14:41:23 UTC 2012
Thanks guys, this is the way we will make progress.
This is absolutely the kind of thing that should be on the openstack-dev
list, in case you were reluctant to put it there.
On 09/13/2012 08:33 AM, Jose Castro Leon wrote:
>
> I am already in touch with him J
>
> Bugs already submitted to do some configuration changes, I will upload
> the patches as soon as possible
>
> https://bugs.launchpad.net/keystone/+bug/1050398
>
> https://bugs.launchpad.net/keystone/+bug/1050400
>
> https://bugs.launchpad.net/keystone/+bug/1050401
>
> https://bugs.launchpad.net/keystone/+bug/1050402
>
> https://bugs.launchpad.net/keystone/+bug/1050406
>
> Kind regards,
>
> *Jose Castro Leon*
>
> CERN IT-OIS-IN tel: +41.22.76.74272
>
> mob: +41.76.48.79222
>
> fax: +41.22.76.67955
>
> Office: 31-R-021 CH-1211 Geneve 23
>
> email: jose.castro.leon at cern.ch <mailto:jose.castro.leon at cern.ch>
>
> *From:*Alessandro Pilotti [mailto:apilotti at cloudbasesolutions.com]
> *Sent:* 13 September 2012 14:21
> *To:* Jose Castro Leon
> *Cc:* Peter Pouliot; Luis Fernandez Alvarez; Adam Young
> *Subject:* Re: Keystone AD integration
>
> Hi Jose,
>
> great! I add in copy Adam, which is the author of the Keystone LDAP
> module.
>
> Thanks for sharing!
>
> Alessandro Pilotti
>
> Cloudbase Solutions Srl
> -------------------------------------
> MVP ASP.Net <http://ASP.Net> / IIS
>
> Windows Azure Insider
> Red Hat Certified Engineer
> -------------------------------------
>
>
>
>
>
> On Sep 13, 2012, at 14:52 , Jose Castro Leon <jose.castro.leon at cern.ch
> <mailto:jose.castro.leon at cern.ch>>
>
> wrote:
>
>
>
> Hi,
>
> I managed to get it working with the standard LDAP module. In such
> module there is more configuration
>
> that is hardcoded and needs a refactor. I am preparing the changes to
> send them to upstream, it should
>
> be easy as I am extracting configuration parameters to keystone
> configuration file, I will create the
>
> appropriate bugs in Launchpad to do so (with the appropriate fixes).
>
> The schema is the default schema that comes with Windows 2008
> (standard schema + services for unix)
>
> The only configuration change was modifying a parameter on the class
> organizationalRole to allow to
>
> have groupOfNames as a superior.
>
> A simplified view of the schema used by the application is the following:
>
> Users
>
> |
>
> --> demo_user (user)
>
> Tenants
>
> |
>
> --> My Tenant (groupOfNames)
>
> | @member(demo_user)
>
> |
>
> --> member (organizationalRole)
>
> @roleOccupant (demo_user)
>
> Roles
>
> |
>
> --> member (organizationalRole)
>
> In () class of the object
>
> @ attribute of the object
>
> I point users to the standard users in AD, and create 2 different OUs
> for store the tenants and the roles.
>
> As a summary, we have everything of the backend related to user,
> tenant and role operations available.
>
> It seems also that in a large scale scenario it needs a rework, but it
> will change substantially and maybe will
>
> not be available soon
>
> Kind regards,
>
> *Jose Castro Leon*
>
> CERN IT-OIS-IN tel: +41.22.76.74272
>
> mob: +41.76.48.79222
>
> fax: +41.22.76.67955
>
> Office: 31-R-021 CH-1211 Geneve 23
>
> email:jose.castro.leon at cern.ch <mailto:jose.castro.leon at cern.ch>
>
> *From:*Alessandro Pilotti [mailto:apilotti at cloudbasesolutions.com
> <http://cloudbasesolutions.com>]
> *Sent:*13 September 2012 13:37
> *To:*Jose Castro Leon
> *Cc:*Peter Pouliot; Luis Fernandez Alvarez
> *Subject:*Keystone AD integration
>
> Hi Jose,
>
> Lous told us that you are working on Keystone LDAP Active directory
> integration, which is also on our TODO list.
>
> Would it be possible for you to share with us your progress and if
> possible the LDAP attribute mapping you used?
>
> Thanks!
>
> Alessandro Pilotti
>
> Cloudbase Solutions Srl
> -------------------------------------
> MVPASP.Net <http://ASP.Net>/ IIS
>
> Windows Azure Insider
> Red Hat Certified Engineer
> -------------------------------------
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20120913/30a07ffa/attachment-0001.html>
More information about the OpenStack-dev
mailing list