[Openstack] FreeIPA LDAP + Keystone question: How to assign roles to user?

spring spring1201 at gmail.com
Wed Sep 26 00:49:53 UTC 2012


Hi Adam,
Can the keystone use MS AD  Server as back end now?

2012/9/25 Adam Young <ayoung at redhat.com>

>  On 09/24/2012 10:45 PM, 邱剑 wrote:
>
>
>  Thanks. Adam.
>
>  Is there any way to configure FreeIPA LDAP to have this structure?
>
>
> Yes there is.
>
> I originally wrote it up here:
>
> http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
>
> and checked it recently to see if I could do LDAPS (yes I could):
>
> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
>
>
>
>
>  Many thanks.
>
>  On Sep 24, 2012, at 11:10 PM, Adam Young wrote:
>
>  Role is grouped in the collection under the Tenant, with the userid in
> the members attribute for that role.
>
>
>
> On 09/24/2012 03:18 AM, 邱剑 wrote:
>
>
>  Openstack services need user account with 'admin' role. But I could not
> figure out how FreeIPA propagate 'role' into Keystone.
>
>  That's why I'm asking the question in mailing list.
>
>
>   On Sep 24, 2012, at 11:30 AM, spring wrote:
>
> Thanks qiujian!
> By using this configuration, can we log in through dashboard? If I want to
> implement that, is there any other configuration I have to do?
>
> 2012/9/24 邱剑 <qiujian at meituan.com>
>
>> BTW, here is my configuration:
>>
>>  [ldap]
>> url = ldap://10.64.11.199
>> tree_dn = cn=accounts,dc=mydomain,dc=com
>> user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
>> user_objectclass = person
>> user_name_attribute = uid
>> user_id_attribute = uid
>> tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>> tenant_objectclass = posixgroup
>> tenant_id_attribute = cn
>> tenant_name_attribute = cn
>> tenant_member_attribute = member
>> role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>> role_objectclass = posixgroup
>> role_id_attribute = cn
>> role_name_attribute = cn
>> role_member_attribute = member
>>  user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
>> password = mysudopassword
>> suffix = cn=mydomain,cn=com
>>
>>
>>  [identity]
>> driver = keystone.identity.backends.ldap.Identity
>>
>>  It seems that keystone LDAP requires role nodes the children of tenant
>> nodes. But FreeIPA has a flat structure.
>>
>>  --
>> 邱剑
>> 美团网技术部系统运维组 - 系统工程师
>> 手机:1381129925
>> 邮件:qiujian at meituan.com
>>
>>   On Sep 22, 2012, at 12:27 PM, 邱剑 wrote:
>>
>>    Hi,
>>
>> I was working on using LDAP of FreeIP as backend of Keystone.
>>
>>  User and tenants information can be fetched from LDAP. However, I could
>> not figure out how to assign roles to users in specific tenants. I'm
>> wondering whether someone can help?
>>
>>  I noticed that Mr. Adam Young had post a blog about this topic:
>>
>>  http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
>>
>>  However, it did not show how to import roles in LDAP. I'm wondering
>> whether there is any progress about this?
>>
>>  Many thanks.
>>
>>   keystone in use was the latest master branch on github on Sep 21, 2012.
>>
>>
>>  Jian Qiu
>>   _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
>  --
> Huang Shuquan (黄舒泉)
> Software Institute of Nanjing University Nanjing, P.R.China
> Mobile: 86 137 7086 4433
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>  _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Huang Shuquan (黄舒泉)
Software Institute of Nanjing University Nanjing, P.R.China
Mobile: 86 137 7086 4433
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120926/9775e849/attachment.html>


More information about the Openstack mailing list