[openstack-dev] [keystone] LDAP identity driver with groups from local DB
email at daviey.com
Fri Jul 24 08:29:32 UTC 2015
On 24 July 2015 at 05:00, Julian Edwards <bigjools at gmail.com> wrote:
> I am relatively new to Openstack and Keystone so please forgive me any
> crazy misunderstandings here.
> One of the problems with the existing LDAP Identity driver that I see
> is that for group management it needs write access to the LDAP server,
> or requires an LDAP admin to set up groups separately.
> Neither of these are palatable to some larger users with corporate
> LDAP directories, so I'm interested in discussing a solution that
> would get acceptance from core devs.
> My initial thoughts are to create a new driver that would store groups
> and their user memberships in the local keystone database, while
> continuing to rely on LDAP for user authentication. The advantages of
> this would be that the standard UI tools could continue to work for
> group manipulation. This is somewhat parallel with ephemeral
> federated user group mappings, but that's all done in the json blob
> which is a bit horrible. (I'd like to see that working with a decent
> UI some time, perhaps it is solved in the same way)
> However, one of the other reasons I'm sending this is to gather more
> ideas to solve this. I'd like to hear from anyone in a similar
> position, and anyone with input on how to help.
Can I suggest reading this excellent write up by Adam Young?
Tl;DR is that the *User* management can come from LDAP via the
Identity driver, but the Project/Tenants and Roles on these come from
the *Assignment* driver via SQL - almost as an overlay.
This would seem to solve the issue you outline?
As a side note, I had a comparable idea for an external AuthN driver
to plug into legacy RBAC systems but this area of Keystone wants to
focus on Federation rather than extending interaction at other levels.
You may fine the thread of interest:
More information about the OpenStack-dev