Open Stack

Assignments (user to project, group to project, user to domain, group to 
domain) are OpenStack specific Data, where as Identity (users, groups, 
and user to group assignments) is general organizational data.  When all 
of this was in a single backend, we had no choice but to force people to 
use LDAP in a writeable mode, and put their assignments in there.

Assignments and LDAP were always a bad match.

With the split of the identity backend, we can now manage identity in a 
backend separate from assignments. There is an identity backend, and an 
assignments backend.  For Havana, if the user has configured the 
identity backend to use LDAP, and have not specified anything for 
assignments, assignments will be in LDAP as well
We can't drop support for LDAP assignments without breaking the 
deployments for all these people.  I'd like to propose deprecating the 
LDAP backend for assignments as soon as feasible, with an eye to helping 
people migrate their existing assignments to the SQL backend.

What might a migration look like:

1.  lock down the LDAP backend so that no updates can occur to Projects, 
ROles, or Role assignments
2.  For projects, roles, and role assignments, do an LDAP query and 
generate a single row in the SQL backend.  These don't need to be 
identical to the existing ones, but it is not required that the IDs be 
UUIDs:  they will be treated as blobs and keeping the old values is fine 
if desired.
3.  Change the config file so that the Assignments backend is SQL, not 
LDAP, and restart Keystone.

We should deprecate the LDAP Assignments backend when Icehouse is GA, to 
be removed two releases later. We know we have some rough spots to 
smooth over in the Havana and Icehouse timeframe regarding the LDAP/SQL  
approach.  I'd like to warn people that this is coming, so that we have 
some participation in discussions around this migration, and that, by 
the time we finally remove the last of the support for LDAP assignments, 
it will be nothing but a fading memory.