openstack team mailing list archive

Thread
Date

Re: [OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?

To: Adam Young <ayoung@xxxxxxxxxx>, Hugo Kuo <hugo.kuo@xxxxxxxxxxxx>
From: Kuo Hugo <tonytkdk@xxxxxxxxx>
Date: Wed, 23 May 2012 08:32:17 +0800
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4FBB97F7.2070807@redhat.com>

Thanks for your quick reply .

I'll review the necessary of subtree query .

It's really depends on user's demand. I did some more research of AD or
LDAP structure design.

I found that if an enterprise has an existing AD server and the structure
as follow

dc=foo,dc=com
   |__OU-HR
   |         |_cn:hr-user1
   |         |_cn:hr-user2
   |         |_cn:hr-user3
   |
   |__OU-IT
             |_cn:it-user1
             |_cn:it-user2
             |_cn:it-user3

For such LDAP structure , only HR or IT users cound be validated .

Is there any exist approach within LDAP to  import users from an OU to
another OU like below's diagram


dc=foo,dc=com
   |__OU-HR
   |         |_cn:hr-user1
   |         |_cn:hr-user2
   |         |_cn:hr-user3
   |
   |__OU-IT
   |         |_cn:it-user1
   |         |_cn:it-user2
   |         |_cn:it-user3
   |
   |
   |__OU-Keystone-Users
                    |_cn:it-user1
                    |_cn:hr-user1

If so , I can specify user_tree_dn to ou=OU-Keystone-Users .
any suggestions ?

Cheers


2012/5/22 Adam Young <ayoung@xxxxxxxxxx>

>  On 05/22/2012 07:07 AM, Kuo Hugo wrote:
>
> Hi Folks ,
>
>  I have try with keystone backend by LDAP and Windows AD.
>
>  It looks fine . Just want to clarify one point.
>
>  For my test result , LDAP driver could only validate users in the
> particular container (OU,CN etc.)  and does not include the subtree users.
>
>  [ldap]
>  tree_dn = dc=taiwan,dc=com
> user_tree_dn = ou=foo,dc=taiwan,dc=com
>
>
>  For example ....
>                 User1 :  cn=jeremy,ou=foo,dc=taiwan,dc=com
>
>                  User2 :  cn=jordan,ou=bar,ou=foo,dc=taiwan,dc=com
>
> User1 could be validated , and get the token generated by keystone.
> User2 could not be validated
>
>
>  Is there any way to validate both User1 and User2  in current design ?
>
>
> No, there is not.  Queries are not done against subtrees.
>
> If this is important to you,  please file a ticket:
> https://bugs.launchpad.net/keystone/+filebug
>
>
>
>
>
>  --
> +Hugo Kuo+
> tonytkdk@xxxxxxxxx
>  + <tonytkdk@xxxxxxxxx>886 935004793
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
+Hugo Kuo+
tonytkdk@xxxxxxxxx
+ <tonytkdk@xxxxxxxxx>886 935004793

Follow ups

Re: [OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?
From: Adam Young, 2012-05-23

References

[OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?
From: Kuo Hugo, 2012-05-22
Re: [OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?
From: Adam Young, 2012-05-22