[openstack-dev] [kesytone][multidomain] - Time to leave LDAP backend?
Marcos Fermin Lobo
marcos.fermin.lobo at cern.ch
Mon Sep 1 08:43:33 UTC 2014
Hi all,
I found two functionalities for keystone that could be against each other.
Multi-domain feature (This functionality is new in Juno.)
---------------------------
Link: http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
Keystone supports the option to specify identity driver configurations on a domain by domain basis, allowing, for example, a specific domain to have its own LDAP or SQL server. So, we can use different backends for different domains. But, as Henry Nash said "it has not been validated with multiple SQL drivers" https://bugs.launchpad.net/keystone/+bug/1362181/comments/2
Hierarchical Multitenancy
--------------------------------
Link: https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy
This is nested projects feature but, only for SQL, not LDAP.
So, if you are using LDAP and you want "nested projects" feature, you should to migrate from LDAP to SQL but, I you want to get multi-domain feature too you can't use 2 SQL backends (you need at least one LDAP backend) because is not validated for multiple SQL drivers...
Maybe I'm losing something, please, correct me if I'm wrong.
Here my questions:
- If I want Multi-domain and Hierarchical Multitenancy features, which are my options? What should I do (migrate or not migrate to SQL)?
- Is LDAP going to deprecated soon?
Thanks.
Cheers,
Marcos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140901/8d445cfe/attachment.html>
More information about the OpenStack-dev
mailing list