Open Stack

On 05/28/2014 05:57 AM, Tizy Ninan wrote:
> Hi,
>
> Thanks for the reply.
> I am still not successful in integrating keystone with active 
> directory. Can you please provide some clarifications related to the 
> following questions.
> 1. Currently, my active directory schema does not have 
> projects/tenants and roles OU. Is it necessary that I need to create 
> projects/tenants and roles OU in the active directory schema for the 
> keystone to authenticate to active directory.?
No.  Set the Assignment driver to SQL, not LDAP.

> 2. We added values to the user_tree_dn.Does the tenant_tree_dn and 
> role_tree_dn and group_tree_dn fields needs to be filled in for 
> authenticating?
No, tenant values are used for assignment, and you should not be doing 
assignments in AD.  THose go into SQL.


> 3.How does the mapping of a user to a project/tenant and role will be 
> done if I try to use active directory to authenticate only the users 
> and use the already existing projects and roles tables in the mysql 
> database?
You need a role assignment, based either on the userid or on a groupid 
that the user is in.  These are stored in the assignment backend.


>
> Kindly provide me some insight into these questions.
>
> Thanks,
> Tizy
>
> On Tue, May 20, 2014 at 8:27 AM, Adam Young <ayoung at redhat.com 
> <mailto:ayoung at redhat.com>> wrote:
>
>     On 05/16/2014 05:08 AM, Tizy Ninan wrote:
>>     Hi,
>>
>>     We have an openstack Havana deployment on CentOS 6.4 and
>>     nova-network network service installed using Mirantis Fuel v4.0.
>>     We are trying to integrate the openstack setup with the Microsoft
>>     Active Directory(LDAP server). I  only have  a read access to the
>>     LDAP server.
>>     What will be the minimum changes needed to be made under the
>>     [ldap] tag in keystone.conf file?Can you please specify what
>>     variables need to be set and what should be the values for each
>>     variable?
>>
>>     [ldap]
>>     # url = ldap://localhost
>>     # user = dc=Manager,dc=example,dc=com
>>     # password = None
>>     # suffix = cn=example,cn=com
>>     # use_dumb_member = False
>>     # allow_subtree_delete = False
>>     # dumb_member = cn=dumb,dc=example,dc=com
>>
>>     # Maximum results per page; a value of zero ('0') disables paging
>>     (default)
>>     # page_size = 0
>>
>>     # The LDAP dereferencing option for queries. This can be either
>>     'never',
>>     # 'searching', 'always', 'finding' or 'default'. The 'default'
>>     option falls
>>     # back to using default dereferencing configured by your ldap.conf.
>>     # alias_dereferencing = default
>>
>>     # The LDAP scope for queries, this can be either 'one'
>>     # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
>>     # query_scope = one
>>
>>     # user_tree_dn = ou=Users,dc=example,dc=com
>>     # user_filter =
>>     # user_objectclass = inetOrgPerson
>>     # user_id_attribute = cn
>>     # user_name_attribute = sn
>>     # user_mail_attribute = email
>>     # user_pass_attribute = userPassword
>>     # user_enabled_attribute = enabled
>>     # user_enabled_mask = 0
>>     # user_enabled_default = True
>>     # user_attribute_ignore = default_project_id,tenants
>>     # user_default_project_id_attribute =
>>     # user_allow_create = True
>>     # user_allow_update = True
>>     # user_allow_delete = True
>>     # user_enabled_emulation = False
>>     # user_enabled_emulation_dn =
>>
>>     # tenant_tree_dn = ou=Projects,dc=example,dc=com
>>     # tenant_filter =
>>     # tenant_objectclass = groupOfNames
>>     # tenant_domain_id_attribute = businessCategory
>>     # tenant_id_attribute = cn
>>     # tenant_member_attribute = member
>>     # tenant_name_attribute = ou
>>     # tenant_desc_attribute = desc
>>     # tenant_enabled_attribute = enabled
>>     # tenant_attribute_ignore =
>>     # tenant_allow_create = True
>>     # tenant_allow_update = True
>>     # tenant_allow_delete = True
>>     # tenant_enabled_emulation = False
>>     # tenant_enabled_emulation_dn =
>>
>>     # role_tree_dn = ou=Roles,dc=example,dc=com
>>     # role_filter =
>>     # role_objectclass = organizationalRole
>>     # role_id_attribute = cn
>>     # role_name_attribute = ou
>>     # role_member_attribute = roleOccupant
>>     # role_attribute_ignore =
>>     # role_allow_create = True
>>     # role_allow_update = True
>>     # role_allow_delete = True
>>
>>     # group_tree_dn =
>>     # group_filter =
>>     # group_objectclass = groupOfNames
>>     # group_id_attribute = cn
>>     # group_name_attribute = ou
>>     # group_member_attribute = member
>>     # group_desc_attribute = desc
>>     # group_attribute_ignore =
>>     # group_allow_create = True
>>     # group_allow_update = True
>>     # group_allow_delete = True
>>
>>     Kindly help us to resolve the issue.
>>
>>     Thanks,
>>     Tizy
>>
>>
>>
>>     _______________________________________________
>>     OpenStack-dev mailing list
>>     OpenStack-dev at lists.openstack.org  <mailto:OpenStack-dev at lists.openstack.org>
>>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>     http://www.youtube.com/watch?v=w3Yjlmb_68g
>
>
>     _______________________________________________
>     OpenStack-dev mailing list
>     OpenStack-dev at lists.openstack.org
>     <mailto:OpenStack-dev at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140528/45548aff/attachment.html>