[openstack-dev] Keystone

Tizy Ninan tizy.elza at gmail.com
Wed May 28 09:57:48 UTC 2014 

Hi,

Thanks for the reply.
I am still not successful in integrating keystone with active directory.
Can you please provide some clarifications related to the following
questions.
1. Currently, my active directory schema does not have projects/tenants and
roles OU. Is it necessary that I need to create projects/tenants and roles
OU in the active directory schema for the keystone to authenticate to
active directory.?
2. We added values to the user_tree_dn.Does the tenant_tree_dn and
role_tree_dn and group_tree_dn fields needs to be filled in for
authenticating?
3.How does the mapping of a user to a project/tenant and role will be done
if I try to use active directory to authenticate only the users and use the
already existing projects and roles tables in the mysql database?

Kindly provide me some insight into these questions.

Thanks,
Tizy

On Tue, May 20, 2014 at 8:27 AM, Adam Young <ayoung at redhat.com> wrote:

>  On 05/16/2014 05:08 AM, Tizy Ninan wrote:
>
>  Hi,
>
>  We have an openstack Havana deployment on CentOS 6.4 and nova-network
> network service installed using Mirantis Fuel v4.0.
> We are trying to integrate the openstack setup with the Microsoft Active
> Directory(LDAP server). I  only have  a read access to the LDAP server.
> What will be the minimum changes needed to be made under the [ldap] tag in
> keystone.conf file?Can you please specify what variables need to be set and
> what should be the values for each variable?
>
>  [ldap]
> # url = ldap://localhost
> # user = dc=Manager,dc=example,dc=com
> # password = None
> # suffix = cn=example,cn=com
> # use_dumb_member = False
> # allow_subtree_delete = False
> # dumb_member = cn=dumb,dc=example,dc=com
>
>  # Maximum results per page; a value of zero ('0') disables paging
> (default)
> # page_size = 0
>
>  # The LDAP dereferencing option for queries. This can be either 'never',
> # 'searching', 'always', 'finding' or 'default'. The 'default' option falls
> # back to using default dereferencing configured by your ldap.conf.
> # alias_dereferencing = default
>
>  # The LDAP scope for queries, this can be either 'one'
> # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
> # query_scope = one
>
>  # user_tree_dn = ou=Users,dc=example,dc=com
> # user_filter =
> # user_objectclass = inetOrgPerson
> # user_id_attribute = cn
> # user_name_attribute = sn
> # user_mail_attribute = email
> # user_pass_attribute = userPassword
> # user_enabled_attribute = enabled
> # user_enabled_mask = 0
> # user_enabled_default = True
> # user_attribute_ignore = default_project_id,tenants
> # user_default_project_id_attribute =
> # user_allow_create = True
> # user_allow_update = True
> # user_allow_delete = True
> # user_enabled_emulation = False
> # user_enabled_emulation_dn =
>
>  # tenant_tree_dn = ou=Projects,dc=example,dc=com
> # tenant_filter =
> # tenant_objectclass = groupOfNames
> # tenant_domain_id_attribute = businessCategory
> # tenant_id_attribute = cn
> # tenant_member_attribute = member
> # tenant_name_attribute = ou
> # tenant_desc_attribute = desc
> # tenant_enabled_attribute = enabled
> # tenant_attribute_ignore =
> # tenant_allow_create = True
> # tenant_allow_update = True
> # tenant_allow_delete = True
> # tenant_enabled_emulation = False
> # tenant_enabled_emulation_dn =
>
>  # role_tree_dn = ou=Roles,dc=example,dc=com
> # role_filter =
> # role_objectclass = organizationalRole
> # role_id_attribute = cn
> # role_name_attribute = ou
> # role_member_attribute = roleOccupant
> # role_attribute_ignore =
> # role_allow_create = True
> # role_allow_update = True
> # role_allow_delete = True
>
>  # group_tree_dn =
> # group_filter =
> # group_objectclass = groupOfNames
> # group_id_attribute = cn
> # group_name_attribute = ou
> # group_member_attribute = member
> # group_desc_attribute = desc
> # group_attribute_ignore =
> # group_allow_create = True
> # group_allow_update = True
> # group_allow_delete = True
>
>  Kindly help us to resolve the issue.
>
>  Thanks,
> Tizy
>
>
>
> _______________________________________________
> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> http://www.youtube.com/watch?v=w3Yjlmb_68g
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140528/409083e0/attachment.html>

More information about the OpenStack-dev mailing list