[Openstack] Keystone w/ LDAP identity

Michael Hearn mrhearn at gmail.com
Fri May 2 13:00:58 UTC 2014


Jasper
Are you alluding to the hybrid drivers as discussed & avail via
http://www.mattfischer.com/blog/?tag=openstack-2

~Mike.

On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 <
Ross.Lillie at motorolasolutions.com> wrote:

>  I’ve been playing with using LDAP authentication (identity) and SQL
> authorization (assignment) within Keystone in the current devstack release
> running in a single VM.
>
>  The problem with this setup, as I understand it, is the need to have
> LDAP entries for each service user (i.e. nova, glance, etc.).  In our
> environment, this isn’t possible as our corporate LDAP directory is solely
> for employee records.  While I could work around this issue by running each
> service under a known LDAP employee record - this seems rather a kludge to
> me.
>
>  My question is, and admittedly I’m not well versed in directory
> federation, is this an issue that could be resolved once directory
> federation is stable in the next Openstack release? Where, for instance,
> all of the openstack service accounts could remain in a separate directory
> service controlled solely by the cloud owner/admin, while user’s could then
> be authenticated via the corporate employee LDAP database?
>
>  We’d love to use LDAP to authenticate cloud user’s, but with the need to
> also authenticate openstack services against the same LDAP backend makes
> the use of LDAP unviable in our environment.
>
>  This has probably been discussed previously, but any insight would be
> helpful.
>
>  Thanks and regards,
> Ross
> --
>  Ross Lillie
> Distinguished Member of Technical Staff
> Motorola Solutions, Inc.
>
>  motorolasolutions.com
>  O: +1.847.576.0012
> M: +1.847.980.2241
>  E: ross.lillie at motorolasolutions.com
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140502/89df0f88/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MSI-Email-Identity-sm.png
Type: image/png
Size: 10441 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140502/89df0f88/attachment.png>


More information about the Openstack mailing list