[openstack-dev] [keystone] Suggested LDAP DIT for domains
Ziad Sawalha
ziad at sawalha.com
Thu Apr 25 16:07:44 UTC 2013
+1
Most hosting/cloud providers have something like that; a directory with multiple user sets.
Shouldn't that use case be core to Keystone? Having worked with many such implementations, I'd like to also hear the argument for why it is insanity…
On Apr 25, 2013, at 9:56 AM, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2013-04-25 at 10:45 -0400, Adam Young wrote:
>> OK, so Ryan has convinced me that multiple LDAP servers under the same
>> Keystone is an incantation for self induced insanity.
>>
>> Based on conversations with the other devs, we are going to enforce that
>> there is only one LDAP server per keystone, and limit the number of
>> domains it can support to one.
>>
>> There can be only one.
>
> I would like to hear what is the argument that convinced you here ?
>
> The reason you have multiple domains is that you have the need for
> multiple user-sets, that seem to lend naturally to cover the case where
> an organization have multiple set of users in different LDAP servers, so
> that you may want to use one LDAP server for one domain and another for
> another domain.
>
> Where does this argument breaks ?
>
>> The APIs for Domains will still be implemented, but creating or
>> modifying a domain will be return an Not implemented return code. There
>> will be a single domain object that will be immutable, although we may
>> allow initializing it from config file values.
>
> Oh, so no support for multiple domains at all ? Odd, seem this will make
> your LDAP backend a second class citizen and a non viable choice in some
> deployment. Not complaining just acknowledging.
>
>> Why are we "yanking" a feature like this? Quite simply, because the vast
>> majority of LDAP deployments out there will not use it, and will not
>> support the approach we have started. We would rather focus on solving
>> the real needs of the LDAP users. Most people cannot write to their
>> LDAP servers, and those that can often don't have the power to change
>> the schema. Thus far, the LDAP work has kept this design in mind, but
>> Domains forced us to marry up two inconstant views of the world.
>>
>> Multiple domains will still be supported in the SQL backend.
>>
>> Organizations that require multiple LDAP servers were not served by the
>> existing implementation. Those will require a different solution. Each
>> will get their own Keystone server, and we will use the approach
>> sketched out in other blueprints to ensure that they can co-exist in a
>> single Open Stack deployment.
>
> I guess the read-only LDAP case can still be used for multiple domains
> if keystone specific data is kept in a Kystone database ?
>
> If that's the case I think your choice will make sense.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list