← Back to team overview

openstack team mailing list archive

Re: FreeIPA LDAP + Keystone question: How to assign roles to user?

 

BTW, here is my configuration:

[ldap]
url = ldap://10.64.11.199
tree_dn = cn=accounts,dc=mydomain,dc=com
user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
user_objectclass = person
user_name_attribute = uid
user_id_attribute = uid
tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
tenant_objectclass = posixgroup
tenant_id_attribute = cn
tenant_name_attribute = cn
tenant_member_attribute = member
role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
role_objectclass = posixgroup
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = member
user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
password = mysudopassword
suffix = cn=mydomain,cn=com


[identity]
driver = keystone.identity.backends.ldap.Identity

It seems that keystone LDAP requires role nodes the children of tenant nodes. But FreeIPA has a flat structure.

--
邱剑
美团网技术部系统运维组 - 系统工程师
手机:1381129925
邮件:qiujian@xxxxxxxxxxx

On Sep 22, 2012, at 12:27 PM, 邱剑 wrote:

> Hi, 
> 
> I was working on using LDAP of FreeIP as backend of Keystone.
> 
> User and tenants information can be fetched from LDAP. However, I could not figure out how to assign roles to users in specific tenants. I'm wondering whether someone can help?
> 
> I noticed that Mr. Adam Young had post a blog about this topic:
> 
> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
> 
> However, it did not show how to import roles in LDAP. I'm wondering whether there is any progress about this?
> 
> Many thanks.
> 
> keystone in use was the latest master branch on github on Sep 21, 2012.
> 
> 
> Jian Qiu
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


Follow ups

References