[Openstack-operators] Keystone and Active Directory
Jan van Eldik
Jan.van.Eldik at cern.ch
Mon Jul 16 08:28:10 UTC 2012
For us, option (3) is best. At CERN, our customers already manage their
Active Directory groups for many other applications.
The LHC experiments have 1000s of collaborators, who are organized in
1000s of AD groups. We want to delegate tenant management to the
experiment coordinators, and a full AD integration with our account
lifecycle management will ensure consistencies.
Let us know if you need any clarification (or help with testing).
cheers, Jose & Jan
On 07/14/2012 08:55 PM, Joseph Heck wrote:
> Good morning,
> I wanted to solicit some detail from y'all as operators. I'm starting in on development for a Keystone backend that does basic Authentication against an existing active directory.
> Looking forward past basic authentication, there's several potentials in how to implement this, and I'm curious among several possibilities what you all would find most useful. I'd love feedback on which of these you'd find most useful, and of course if there's a variation on the theme that would "rock your world", please tell me about it.
> 1) no explicit mapping to active directory groups, projects and roles managed externally to active directory, with a users in active directory getting assigned to those projects and roles, but using the credentials (userid/password) from active directory.
> 2) using active directory groups to assign roles to users, regardless of tenant. This would be storing "projects" and links of users to projects external to active directory, but using active directory groups to define what "roles" a user should have within their project(s).
> 3) using active directory groups to represent projects, with membership in the group simply implying a "membership" style role with broad capabilities in the project.
> The quandary I'm facing is that I'm not sure how y'all are using groups and what they represent to you, and what that *could* mean to an OpenStack deployment in your organization. Any and all feedback welcome - either back to this list, or directly to me: Joe Heck (heckj at mac.com)
> Keystone PTL
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
More information about the Openstack-operators