[Openstack] Keystone w/ LDAP identity
Michael Gale
gale.michael at gmail.com
Mon May 5 03:03:23 UTC 2014
Hello,
We had similar requests with wanting AD integration for authentication
but not for authorization.
We ended up with our own driver:
https://bitbucket.org/mgale/openstack-havana/overview
Installation instructions are available here:
https://bitbucket.org/mgale/openstack-havana/src/78f825a63de664bc786923c76ffedda220e7cd80/installing.txt?at=master
We also created a small utility to create users based on OU's in Keystone
and assign them to specific tenants:
https://bitbucket.org/mgale/openstack-havana/src/ under the utils dir.
Michael
On Fri, May 2, 2014 at 7:52 AM, Jasper Capel <Jasper.Capel at spilgames.com>wrote:
> No, we didn’t do anything with custom drivers. We implemented the pipeline
> solution referred to in this document:
>
> http://docs.openstack.org/developer/keystone/external-auth.html
>
> Jasper
>
> On 02 May 2014, at 15:00, Michael Hearn <mrhearn at gmail.com> wrote:
>
> > Jasper
> > Are you alluding to the hybrid drivers as discussed & avail via
> http://www.mattfischer.com/blog/?tag=openstack-2
> >
> > ~Mike.
> >
> > On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 <
> Ross.Lillie at motorolasolutions.com> wrote:
> > I’ve been playing with using LDAP authentication (identity) and SQL
> authorization (assignment) within Keystone in the current devstack release
> running in a single VM.
> >
> > The problem with this setup, as I understand it, is the need to have
> LDAP entries for each service user (i.e. nova, glance, etc.). In our
> environment, this isn’t possible as our corporate LDAP directory is solely
> for employee records. While I could work around this issue by running each
> service under a known LDAP employee record - this seems rather a kludge to
> me.
> >
> > My question is, and admittedly I’m not well versed in directory
> federation, is this an issue that could be resolved once directory
> federation is stable in the next Openstack release? Where, for instance,
> all of the openstack service accounts could remain in a separate directory
> service controlled solely by the cloud owner/admin, while user’s could then
> be authenticated via the corporate employee LDAP database?
> >
> > We’d love to use LDAP to authenticate cloud user’s, but with the need to
> also authenticate openstack services against the same LDAP backend makes
> the use of LDAP unviable in our environment.
> >
> > This has probably been discussed previously, but any insight would be
> helpful.
> >
> > Thanks and regards,
> > Ross
> > --
> > Ross Lillie
> > Distinguished Member of Technical Staff
> > Motorola Solutions, Inc.
> >
> > motorolasolutions.com
> > O: +1.847.576.0012
> > M: +1.847.980.2241
> > E: ross.lillie at motorolasolutions.com
> >
> >
> > <MSI-Email-Identity-sm.png>
> >
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
--
“We, the unwilling, led by the unknowing, are doing the impossible for the
ungrateful. We have done so much, for so long, with so little, we are now
qualified to do anything with nothing.”
― Konstantin Josef
Jireček<https://www.goodreads.com/author/show/4666841.Konstantin_Josef_Jire_ek>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140504/f1ff64d9/attachment.html>
More information about the Openstack
mailing list