Open Stack

Hello,

We have a small private OpenStack deployment with 300 VMs across 2 regions.
We currently use the Keystone v2.0 API and all accounts are currently 
stored in SQL.

We would like to move keystone to authenticate users from LDAP 
(identity), whilst still having the service accounts stored in SQL 
(migrating to Keystone v3 in the process).

In our testing environment we have configured domain-specific drivers to 
support the above configuration, with the 'default' domain being SQL and 
a separate domain 'ldap' for credentials from LDAP.

Usernames are the same for accounts in both 'default' and 'ldap'.
Assignments would still reside in SQL.

This setup works for the creation of new resources, however any 
resources defined in the old domain ('default') is obviously not 
available in the 'ldap' domain.

Has anyone migrated resources between domains? There doesn't appear to 
be any OpenStack tooling to support this (?).

Or is the solution to simply configure the ldap domain named as 
'default' and the SQL domain named as something like 'services' ?

-- 
Kind regards,

Ben Morrice

______________________________________________________________________
Ben Morrice | e: ben.morrice at epfl.ch | t: +41-21-693-9670
EPFL ENT CBS BBP
Biotech Campus
Chemin des Mines 9
1202 Geneva
Switzerland