Open Stack

If we use LDAP to provide Assignment and Identity for Keystone, what things is keystone still managing locally? The reason I'm asking is that we're setting up Openstack in a couple data centers and would like to centrally manage users/tenants/roles without replicating keystone databases (if that's possible). It looks like Tokens, Catalogs, and Policy are the remaining services. I don't think we'd ever want to replicate Tokens, and the data in Catalogs might differ across DCs anyway, but "Policy" is what I'm not sure about. Is Policy the same as Assignment?

Finally, has anyone else set this up and if so do you have any caveats/must-dos? I think I have all the connection to LDAP stuff figured out but have not tried with multiple keystone instances.

________________________________
This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140210/950dcca7/attachment.html>