[Openstack-operators] Keystone and Active Directory

Joseph Heck heckj at mac.com
Sat Jul 14 18:55:14 UTC 2012

Good morning,

I wanted to solicit some detail from y'all as operators. I'm starting in on development for a Keystone backend that does basic Authentication against an existing active directory. 

Looking forward past basic authentication, there's several potentials in how to implement this, and I'm curious among several possibilities what you all would find most useful. I'd love feedback on which of these you'd find most useful, and of course if there's a variation on the theme that would "rock your world", please tell me about it.

1) no explicit mapping to active directory groups, projects and roles managed externally to active directory, with a users in active directory getting assigned to those projects and roles, but using the credentials (userid/password) from active directory.

2) using active directory groups to assign roles to users, regardless of tenant. This would be storing "projects" and links of users to projects external to active directory, but using active directory groups to define what "roles" a user should have within their project(s).

3) using active directory groups to represent projects, with membership in the group simply implying a "membership" style role with broad capabilities in the project.

The quandary I'm facing is that I'm not sure how y'all are using groups and what they represent to you, and what that *could* mean to an OpenStack deployment in your organization. Any and all feedback welcome - either back to this list, or directly to me: Joe Heck (heckj at mac.com)

Keystone PTL

More information about the Openstack-operators mailing list