openstack team mailing list archive

[Adam Young <ayoung@xxxxxxxxxx>]

On 09/24/2012 10:45 PM, 邱剑 wrote:
> Thanks. Adam.
>
> Is there any way to configure FreeIPA LDAP to have this structure?

Yes there is.

I originally wrote it up here:

http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/

and checked it recently to see if I could do LDAPS (yes I could):

http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/


> Many thanks.
>
> On Sep 24, 2012, at 11:10 PM, Adam Young wrote:
>
> > Role is grouped in the collection under the Tenant, with the userid 
> > in the members attribute for that role.
> >
> >
> >
> > On 09/24/2012 03:18 AM, 邱剑 wrote:
> > > Openstack services need user account with 'admin' role. But I could 
> > > not figure out how FreeIPA propagate 'role' into Keystone.
> > >
> > > That's why I'm asking the question in mailing list.
> > >
> > >
> > > On Sep 24, 2012, at 11:30 AM, spring wrote:
> > >
> > > > Thanks qiujian!
> > > > By using this configuration, can we log in through dashboard? If I 
> > > > want to implement that, is there any other configuration I have to do?
> > > >
> > > > 2012/9/24 邱剑 <qiujian@xxxxxxxxxxx <mailto:qiujian@xxxxxxxxxxx>>
> > > >
> > > >     BTW, here is my configuration:
> > > >
> > > >     [ldap]
> > > >     url = ldap://10.64.11.199
> > > >     tree_dn = cn=accounts,dc=mydomain,dc=com
> > > >     user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
> > > >     user_objectclass = person
> > > >     user_name_attribute = uid
> > > >     user_id_attribute = uid
> > > >     tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
> > > >     tenant_objectclass = posixgroup
> > > >     tenant_id_attribute = cn
> > > >     tenant_name_attribute = cn
> > > >     tenant_member_attribute = member
> > > >     role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
> > > >     role_objectclass = posixgroup
> > > >     role_id_attribute = cn
> > > >     role_name_attribute = cn
> > > >     role_member_attribute = member
> > > >     user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
> > > >     password = mysudopassword
> > > >     suffix = cn=mydomain,cn=com
> > > >
> > > >
> > > >     [identity]
> > > >     driver = keystone.identity.backends.ldap.Identity
> > > >
> > > >     It seems that keystone LDAP requires role nodes the children of
> > > >     tenant nodes. But FreeIPA has a flat structure.
> > > >
> > > >     --
> > > >     邱剑
> > > >     美团网技术部系统运维组 - 系统工程师
> > > >     手机：1381129925
> > > >     邮件：qiujian@xxxxxxxxxxx <mailto:qiujian@xxxxxxxxxxx>
> > > >
> > > >     On Sep 22, 2012, at 12:27 PM, 邱剑 wrote:
> > > >
> > > > >     Hi,
> > > > >
> > > > >     I was working on using LDAP of FreeIP as backend of Keystone.
> > > > >
> > > > >     User and tenants information can be fetched from LDAP.
> > > > >     However, I could not figure out how to assign roles to users
> > > > >     in specific tenants. I'm wondering whether someone can help?
> > > > >
> > > > >     I noticed that Mr. Adam Young had post a blog about this topic:
> > > > >
> > > > >     http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
> > > > >
> > > > >     However, it did not show how to import roles in LDAP. I'm
> > > > >     wondering whether there is any progress about this?
> > > > >
> > > > >     Many thanks.
> > > > >
> > > > >     keystone in use was the latest master branch on github on Sep
> > > > >     21, 2012.
> > > > >
> > > > >
> > > > >     Jian Qiu
> > > > >     _______________________________________________
> > > > >     Mailing list: https://launchpad.net/~openstack
> > > > >     <https://launchpad.net/%7Eopenstack>
> > > > >     Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > > > >     <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
> > > > >     Unsubscribe : https://launchpad.net/~openstack
> > > > >     <https://launchpad.net/%7Eopenstack>
> > > > >     More help   : https://help.launchpad.net/ListHelp
> > > >
> > > >
> > > >     _______________________________________________
> > > >     Mailing list: https://launchpad.net/~openstack
> > > >     <https://launchpad.net/%7Eopenstack>
> > > >     Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > > >     <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
> > > >     Unsubscribe : https://launchpad.net/~openstack
> > > >     <https://launchpad.net/%7Eopenstack>
> > > >     More help   : https://help.launchpad.net/ListHelp
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Huang Shuquan （黄舒泉）
> > > > Software Institute of Nanjing University Nanjing, P.R.China
> > > > Mobile: 86 137 7086 4433
> > >
> > >
> > >
> > > _______________________________________________
> > > Mailing list:https://launchpad.net/~openstack
> > > Post to     :openstack@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe :https://launchpad.net/~openstack
> > > More help   :https://help.launchpad.net/ListHelp
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack 
> > <https://launchpad.net/%7Eopenstack>
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx 
> > <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
> > Unsubscribe : https://launchpad.net/~openstack 
> > <https://launchpad.net/%7Eopenstack>
> > More help   : https://help.launchpad.net/ListHelp