[Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?
Adam Young
ayoung at redhat.com
Mon Sep 24 15:10:26 UTC 2012
Role is grouped in the collection under the Tenant, with the userid in
the members attribute for that role.
On 09/24/2012 03:18 AM, ?? wrote:
>
> Openstack services need user account with 'admin' role. But I could
> not figure out how FreeIPA propagate 'role' into Keystone.
>
> That's why I'm asking the question in mailing list.
>
>
> On Sep 24, 2012, at 11:30 AM, spring wrote:
>
>> Thanks qiujian!
>> By using this configuration, can we log in through dashboard? If I
>> want to implement that, is there any other configuration I have to do?
>>
>> 2012/9/24 ?? <qiujian at meituan.com <mailto:qiujian at meituan.com>>
>>
>> BTW, here is my configuration:
>>
>> [ldap]
>> url = ldap://10.64.11.199
>> tree_dn = cn=accounts,dc=mydomain,dc=com
>> user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
>> user_objectclass = person
>> user_name_attribute = uid
>> user_id_attribute = uid
>> tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>> tenant_objectclass = posixgroup
>> tenant_id_attribute = cn
>> tenant_name_attribute = cn
>> tenant_member_attribute = member
>> role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>> role_objectclass = posixgroup
>> role_id_attribute = cn
>> role_name_attribute = cn
>> role_member_attribute = member
>> user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
>> password = mysudopassword
>> suffix = cn=mydomain,cn=com
>>
>>
>> [identity]
>> driver = keystone.identity.backends.ldap.Identity
>>
>> It seems that keystone LDAP requires role nodes the children of
>> tenant nodes. But FreeIPA has a flat structure.
>>
>> --
>> ??
>> ??????????? - ?????
>> ??:1381129925
>> ??:qiujian at meituan.com <mailto:qiujian at meituan.com>
>>
>> On Sep 22, 2012, at 12:27 PM, ?? wrote:
>>
>>> Hi,
>>>
>>> I was working on using LDAP of FreeIP as backend of Keystone.
>>>
>>> User and tenants information can be fetched from LDAP. However,
>>> I could not figure out how to assign roles to users in specific
>>> tenants. I'm wondering whether someone can help?
>>>
>>> I noticed that Mr. Adam Young had post a blog about this topic:
>>>
>>> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
>>>
>>> However, it did not show how to import roles in LDAP. I'm
>>> wondering whether there is any progress about this?
>>>
>>> Many thanks.
>>>
>>> keystone in use was the latest master branch on github on Sep
>>> 21, 2012.
>>>
>>>
>>> Jian Qiu
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> <https://launchpad.net/%7Eopenstack>
>>> Post to : openstack at lists.launchpad.net
>>> <mailto:openstack at lists.launchpad.net>
>>> Unsubscribe : https://launchpad.net/~openstack
>>> <https://launchpad.net/%7Eopenstack>
>>> More help : https://help.launchpad.net/ListHelp
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> <https://launchpad.net/%7Eopenstack>
>> Post to : openstack at lists.launchpad.net
>> <mailto:openstack at lists.launchpad.net>
>> Unsubscribe : https://launchpad.net/~openstack
>> <https://launchpad.net/%7Eopenstack>
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> --
>> Huang Shuquan (???)
>> Software Institute of Nanjing University Nanjing, P.R.China
>> Mobile: 86 137 7086 4433
>>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120924/21aaa0d5/attachment.html>
More information about the Openstack
mailing list