[Openstack] New schema for LDAP + Keystone Grizzly?

spzala at linux.vnet.ibm.com spzala at linux.vnet.ibm.com
Wed Apr 17 20:12:46 UTC 2013


Hi Marcelo,

There is an open bug for a similar problem. I have found a workaround  
that, you need to create an entry manually for default domain in your  
tree under the new dn (ou=Domains) you have created. Something like,
dn: cn=default,ou=Domains,dc=openstack,dc=org
objectClass: groupOfNames
description: some description
ou: Default
member: cn=dumb,dc=nonexistent
cn: default

Hopefully this will take care of the problem.

Thanks!

Regards,
Sahdev Zala
IBM SWG



Quoting Marcelo Mariano Miziara <marcelo.miziara at serpro.gov.br>:

> Hello to all!
>
> Before the release of version grizzly 3, the suggested schema in the
> openstack documentation
> (http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html)
> worked fine. This is the suggested schema:
> dn: cn=openstack,cn=org dc: openstack objectClass: dcObject objectClass:
> organizationalUnit ou: openstack  dn: ou=Groups,cn=openstack,cn=org
> objectClass: top objectClass: organizationalUnit ou: groups  dn:
> ou=Users,cn=openstack,cn=org objectClass: top objectClass:
> organizationalUnit ou: users  dn: ou=Roles,cn=openstack,cn=org objectClass:
> top objectClass: organizationalUnit ou: rolesBut after the release of the
> version grizzly 3 I think that's not enough anymore, mainly because of the
> "domain" concept.
>
> I'm kind of lost trying to make LDAP work with keystone now...does anyone
> succeed in this?
>
> I created a new dn, something like:
> dn: ou=Domains,cn=openstack,cn=org objectClass: top objectClass:
> organizationalUnit ou: DomainsBut when I run the "keystone-manage db_sync"
> the "default" domain isn't created in the LDAP...When I manually create the
> domain in there, I have a problem with authentication...
>
> I think I must be doing something wrong, does anyone have a light?
>
> Thanks in advance,
> Marcelo M. Miziara
> marcelo.miziara at serpro.gov.br  -
>
>  "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
> empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
> enviada exclusivamente a seu destinatário e pode conter informações
> confidenciais, protegidas por sigilo profissional. Sua utilização
> desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
> recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
> esclarecendo o equívoco."
>
>  "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) --
> a government company established under Brazilian law (5.615/70) -- is
> directed exclusively to its addressee and may contain confidential data,
> protected under professional secrecy rules. Its unauthorized use is illegal
> and may subject the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."






More information about the Openstack mailing list