Open Stack

You can leave the roles/projects outside of ldap by just using the LDAP identity plugin, leaving the rest in sql. It sounds like they will be deprecating putting roles/projects in LDAP in the future anyway.

That leaves identity mapping. There is a table of ldap users to unique id's in the database. I haven't tried, but you might be able to import all your ldap users into the table, then before any usage, switch the id to the old id's. No idea if its safe to do that though. You will have to test it thoroughly.

Thanks,
Kevin
________________________________________
From: Caius Howcroft [caius.howcroft at gmail.com]
Sent: Monday, March 02, 2015 7:36 AM
To: openstack-operators at lists.openstack.org
Subject: [Openstack-operators] Migrating keystone from MySQL to LDAP

Hi,

We are in the process of migrating off MySQL backend for keystone and
into LDAP. Just wondering if anyone ad any experience with this? I'm
going to have to keep all the id's the same (or else go in and change
project ids etc in things like cinder db). Looks like keystone API
doesn't allow me to force a uuid at creation time for projects, roles
and users. I can go in and create the projects etc in a python script
directly, but thats a bit messy.

Just wondered if anyone had a done this and had a neater solution?

Caius
--

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators