Our Active Directory is indeed read only. What I am trying to do is use existing AD security groups which are used to define the different groups in our organisation to assign users to projects. The projects would created against the sql domain. I know that I could do this on a user by user basis but that would increase the administrative overhead. When you say that assignments are deprecated, I assume that you mean assignments and projects both being against the LDAP domain? Thanks Alexander From: Adam Young [mailto:ayoung at redhat.com] Sent: 01 March 2016 19:51 To: openstack at lists.openstack.org Subject: Re: [Openstack] Keystone With Active Directory On 02/29/2016 10:07 AM, alexander.dibbo at stfc.ac.uk <mailto:alexander.dibbo at stfc.ac.uk> wrote: Hi all, I am in the process of setting up a Liberty deployment, with multi-domain keystone connected to Active Directory. I am just wondering if anybody is using Security Groups in Active Directory to map roles to projects? If so how are you doing this? Regards Alexander Dibbo _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Keystone support for Assignment from LDAP is deprecated. AD tends to be read only from an Openstack deployment. Do you have writable AD available? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160302/2a1262c0/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3921 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160302/2a1262c0/attachment.bin>