[Openstack-operators] Migrating keystone from MySQL to LDAP

Fox, Kevin M Kevin.Fox at pnnl.gov
Tue Mar 3 19:44:28 UTC 2015


See the id_mapping table.

Thanks,
Kevin
________________________________________
From: Antonio Messina [antonio.s.messina at gmail.com]
Sent: Tuesday, March 03, 2015 11:28 AM
To: Fox, Kevin M
Cc: Caius Howcroft; openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] Migrating keystone from MySQL to LDAP

On Mon, Mar 2, 2015 at 5:31 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
> That leaves identity mapping. There is a table of ldap users to
> unique id's in the database.

I'm not an expert, but I have a Juno testbed that is using LDAP for
identity and SQL for assignment, and the 'id' of the user is, in my
case, the uid attribute of the ldap object (cfr. `user_id_attribute`
option in `keystone.conf`).

    $ keystone  user-get antonio
    +----------+---------+
    | Property |  Value  |
    +----------+---------+
    |    id    | antonio |
    |   name   | antonio |
    | username | antonio |
    +----------+---------+

I don't have anything in the `user` table, and the `assignment` table
is populated only when I actually assign a role to an user in a
tenant.

    $ keystone user-list --tenant demo
    +---------+---------+---------+-------+
    |    id   |   name  | enabled | email |
    +---------+---------+---------+-------+
    | antonio | antonio |         |       |
    |  sergio |  sergio |         |       |
    +---------+---------+---------+-------+

and in the DB:

    mysql> select asgn.actor_id, proj.name as project, role.name as
role from keystone.assignment as asgn left join keystone.project as
proj on asgn.target_id=proj.id left join keystone.role on
asgn.role_id=role.id where proj.name='demo';
    +----------------------------------+---------+----------+
    | actor_id                         | project | role     |
    +----------------------------------+---------+----------+
    | antonio                          | demo    | Member   |
    | sergio                           | demo    | Member   |
    +----------------------------------+---------+----------+

.a.

--
antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland



More information about the OpenStack-operators mailing list