[Openstack] [OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?
Adam Young
ayoung at redhat.com
Tue May 22 13:43:19 UTC 2012
On 05/22/2012 07:07 AM, Kuo Hugo wrote:
> Hi Folks ,
>
> I have try with keystone backend by LDAP and Windows AD.
>
> It looks fine . Just want to clarify one point.
>
> For my test result , LDAP driver could only validate users in the
> particular container (OU,CN etc.) and does not include the subtree users.
>
> [ldap]
> tree_dn = dc=taiwan,dc=com
> user_tree_dn = ou=foo,dc=taiwan,dc=com
>
>
> For example ....
> User1 : cn=jeremy,ou=foo,dc=taiwan,dc=com
>
> User2 : cn=jordan,ou=bar,ou=foo,dc=taiwan,dc=com
> User1 could be validated , and get the token generated by keystone.
> User2 could not be validated
>
>
> Is there any way to validate both User1 and User2 in current design ?
No, there is not. Queries are not done against subtrees.
If this is important to you, please file a ticket:
https://bugs.launchpad.net/keystone/+filebug
>
>
> --
> +Hugo Kuo+
> tonytkdk at gmail.com
> <mailto:tonytkdk at gmail.com>
> + <mailto:tonytkdk at gmail.com>886 935004793
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120522/43c6396f/attachment.html>
More information about the Openstack
mailing list