Open Stack

On Tue, Oct 15, 2013 at 12:05 PM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <mark.m.miller at hp.com> wrote:
> Hello,
>
> I have a generic question about the logic now available for LDAP users in association with bug 1209440. How do you associate a read-only LDAP user with a domain?

I suppose it depends on your definition of "association"? Users have
two significant relationships with domains:

A) they can be owned by (namespaced to) a domain
B) they can be assigned roles on domains, granting authorization

> LDAP users are not entered into the keystone user table so the only way I can see to associate a user with a domain is to give them a role for the domain so an entry is built for them in the user_domain_metadata table. Am I correct or is there something I am missing?

This is [B], above. This pattern is identical to that used for projects.

>
> Regards,
>
> Mark
>
> =====================
>
> https://bugs.launchpad.net/keystone/+bug/1209440
>
> =====================
>
> At keystone/identity/backends/ldap.py:230 we allow mapping domain_id of a user based on the attribute specified in conf.ldap.user_domain_id_attribute which defaults to 'businessCategory'.
> My understanding is that this is no longer required and should no longer be allowed and indeed in practice it completely overrides any domain information that is provided in the authentication body.
>
> =====================
>
> commit 668ee718127a9983d4838b868efd44ddf661b533
> Author: Morgan Fainberg <m at metacloud.com>
> Date: Thu Sep 19 19:53:02 2013 -0700
>     Remove ldap identity domain attribute options
>     LDAP Identity backend is not domain aware, and therefore does not
>     need mappings for the domain attributes for user and group.
>     closes-bug: 1209440
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



-- 

-Dolph