On 12 August 2015 at 18:48, Adam Young <ayoung at redhat.com> wrote: > > The simplest one is Kerberos + SSSD; > > Kerberos provides Authentication. > mod_lookup_identity uses SSSD to get Groups. It turns LDAP into another > Federated identity, much simpler than the LDAP code in Keystone (I am > responsible for that mess). > > We are working on automating this via Ansible on top of a RHEL/Centos 7 > install to demo in Tokyo. > > I am not certain if all the pieces are in place yet for Debian based > install. Specifically, it needs an updated sssd-dbus package. > > We also have mod_mellon and Ipsilon working, as Jamie demo'ed at Pycon AU. > Sounds great! Would you be prepared to put together some WIP reviews to add those to the Keystone role in openstack-ansible? Even if they're non-working sketches that we can work from and iterate on, that'd be great. Note that we're looking at implementing some changes to broaden the platform support too. We're moving some of the pieces into place for the liberty [1] release and I'll be putting my thoughts down on multi-platform host enablement [2] soon. Also, considering that it'd be easier to comprehend, consume and iterate the ansible roles if they were independent consumable units I've also proposed [3][4] to break them out into their own repositories. It'd be great if you could provide your input. [1] https://blueprints.launchpad.net/openstack-ansible/+spec/liberty [2] https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host [3] https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories [4] https://review.openstack.org/213779 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150819/f60768f4/attachment.html>