[Openstack-operators] Migrating keystone from MySQL to LDAP
Antonio Messina
antonio.s.messina at gmail.com
Tue Mar 3 19:28:35 UTC 2015
On Mon, Mar 2, 2015 at 5:31 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
> That leaves identity mapping. There is a table of ldap users to
> unique id's in the database.
I'm not an expert, but I have a Juno testbed that is using LDAP for
identity and SQL for assignment, and the 'id' of the user is, in my
case, the uid attribute of the ldap object (cfr. `user_id_attribute`
option in `keystone.conf`).
$ keystone user-get antonio
+----------+---------+
| Property | Value |
+----------+---------+
| id | antonio |
| name | antonio |
| username | antonio |
+----------+---------+
I don't have anything in the `user` table, and the `assignment` table
is populated only when I actually assign a role to an user in a
tenant.
$ keystone user-list --tenant demo
+---------+---------+---------+-------+
| id | name | enabled | email |
+---------+---------+---------+-------+
| antonio | antonio | | |
| sergio | sergio | | |
+---------+---------+---------+-------+
and in the DB:
mysql> select asgn.actor_id, proj.name as project, role.name as
role from keystone.assignment as asgn left join keystone.project as
proj on asgn.target_id=proj.id left join keystone.role on
asgn.role_id=role.id where proj.name='demo';
+----------------------------------+---------+----------+
| actor_id | project | role |
+----------------------------------+---------+----------+
| antonio | demo | Member |
| sergio | demo | Member |
+----------------------------------+---------+----------+
.a.
--
antonio.s.messina at gmail.com
antonio.messina at uzh.ch +41 (0)44 635 42 22
S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland
More information about the OpenStack-operators
mailing list