On 08/19/2015 04:23 AM, Jesse Pretorius wrote: > > On 12 August 2015 at 18:48, Adam Young <ayoung at redhat.com > <mailto:ayoung at redhat.com>> wrote: > > > The simplest one is Kerberos + SSSD; > > Kerberos provides Authentication. > mod_lookup_identity uses SSSD to get Groups. It turns LDAP into > another Federated identity, much simpler than the LDAP code in > Keystone (I am responsible for that mess). > > We are working on automating this via Ansible on top of a > RHEL/Centos 7 install to demo in Tokyo. > > I am not certain if all the pieces are in place yet for Debian > based install. Specifically, it needs an updated sssd-dbus package. > > We also have mod_mellon and Ipsilon working, as Jamie demo'ed at > Pycon AU. > > > Sounds great! > > Would you be prepared to put together some WIP reviews to add those to > the Keystone role in openstack-ansible? Even if they're non-working > sketches that we can work from and iterate on, that'd be great. Our sample code is here: https://github.com/jamielennox/rippowam I wrote up a README for what we are doing: https://github.com/admiyo/rippowam/blob/master/README.rst The stuff you care about is here: Setting up SSSD https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/infopipe.yml And https://github.com/jamielennox/rippowam/blob/master/roles/packstack/tasks/keystone-sssd.yml > > Note that we're looking at implementing some changes to broaden the > platform support too. We're moving some of the pieces into place for > the liberty [1] release and I'll be putting my thoughts down on > multi-platform host enablement [2] soon. Also, considering that it'd > be easier to comprehend, consume and iterate the ansible roles if they > were independent consumable units I've also proposed [3][4] to break > them out into their own repositories. It'd be great if you could > provide your input. > > [1] https://blueprints.launchpad.net/openstack-ansible/+spec/liberty > [2] > https://blueprints.launchpad.net/openstack-ansible/+spec/multi-platform-host > [3] > https://blueprints.launchpad.net/openstack-ansible/+spec/independent-role-repositories > [4] https://review.openstack.org/213779 > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150819/71f3bb65/attachment.html>