← Back to team overview

openstack team mailing list archive

Re: FreeIPA LDAP + Keystone question: How to assign roles to user?

 

Openstack services need user account with 'admin' role. But I could not figure out how FreeIPA propagate 'role' into Keystone.

That's why I'm asking the question in mailing list.


On Sep 24, 2012, at 11:30 AM, spring wrote:

> Thanks qiujian!
> By using this configuration, can we log in through dashboard? If I want to implement that, is there any other configuration I have to do?
> 
> 2012/9/24 邱剑 <qiujian@xxxxxxxxxxx>
> BTW, here is my configuration:
> 
> [ldap]
> url = ldap://10.64.11.199
> tree_dn = cn=accounts,dc=mydomain,dc=com
> user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
> user_objectclass = person
> user_name_attribute = uid
> user_id_attribute = uid
> tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
> tenant_objectclass = posixgroup
> tenant_id_attribute = cn
> tenant_name_attribute = cn
> tenant_member_attribute = member
> role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
> role_objectclass = posixgroup
> role_id_attribute = cn
> role_name_attribute = cn
> role_member_attribute = member
> user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
> password = mysudopassword
> suffix = cn=mydomain,cn=com
> 
> 
> [identity]
> driver = keystone.identity.backends.ldap.Identity
> 
> It seems that keystone LDAP requires role nodes the children of tenant nodes. But FreeIPA has a flat structure.
> 
> --
> 邱剑
> 美团网技术部系统运维组 - 系统工程师
> 手机:1381129925
> 邮件:qiujian@xxxxxxxxxxx
> 
> On Sep 22, 2012, at 12:27 PM, 邱剑 wrote:
> 
>> Hi, 
>> 
>> I was working on using LDAP of FreeIP as backend of Keystone.
>> 
>> User and tenants information can be fetched from LDAP. However, I could not figure out how to assign roles to users in specific tenants. I'm wondering whether someone can help?
>> 
>> I noticed that Mr. Adam Young had post a blog about this topic:
>> 
>> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
>> 
>> However, it did not show how to import roles in LDAP. I'm wondering whether there is any progress about this?
>> 
>> Many thanks.
>> 
>> keystone in use was the latest master branch on github on Sep 21, 2012.
>> 
>> 
>> Jian Qiu
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
> 
> 
> 
> -- 
> Huang Shuquan (黄舒泉)
> Software Institute of Nanjing University Nanjing, P.R.China
> Mobile: 86 137 7086 4433
> 


Follow ups

References