openstack team mailing list archive

Thread
Date

Re: FreeIPA LDAP + Keystone question: How to assign roles to user?

To: Adam Young <ayoung@xxxxxxxxxx>
From: 邱剑 <qiujian@xxxxxxxxxxx>
Date: Wed, 26 Sep 2012 09:48:53 +0800
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <5061C754.70801@redhat.com>

Thanks. Adam.

I saw in your blog "Keystone Roles are not yet implemented."

In order to make OpenStack work, it seems I have to assign "admin" role to some users


On Sep 25, 2012, at 11:01 PM, Adam Young wrote:

> On 09/24/2012 10:45 PM, 邱剑 wrote:
>> 
>> Thanks. Adam.
>> 
>> Is there any way to configure FreeIPA LDAP to have this structure?
> 
> Yes there is.
> 
> I originally wrote it up here:
> 
> http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
> 
> and checked it recently to see if I could do LDAPS (yes I could):
> 
> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
> 
> 
>> 
>> Many thanks.
>> 
>> On Sep 24, 2012, at 11:10 PM, Adam Young wrote:
>> 
>>> Role is grouped in the collection under the Tenant, with the userid in the members attribute for that role.
>>> 
>>> 
>>> 
>>> On 09/24/2012 03:18 AM, 邱剑 wrote:
>>>> 
>>>> Openstack services need user account with 'admin' role. But I could not figure out how FreeIPA propagate 'role' into Keystone.
>>>> 
>>>> That's why I'm asking the question in mailing list.
>>>> 
>>>> 
>>>> On Sep 24, 2012, at 11:30 AM, spring wrote:
>>>> 
>>>>> Thanks qiujian!
>>>>> By using this configuration, can we log in through dashboard? If I want to implement that, is there any other configuration I have to do?
>>>>> 
>>>>> 2012/9/24 邱剑 <qiujian@xxxxxxxxxxx>
>>>>> BTW, here is my configuration:
>>>>> 
>>>>> [ldap]
>>>>> url = ldap://10.64.11.199
>>>>> tree_dn = cn=accounts,dc=mydomain,dc=com
>>>>> user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com
>>>>> user_objectclass = person
>>>>> user_name_attribute = uid
>>>>> user_id_attribute = uid
>>>>> tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>>>>> tenant_objectclass = posixgroup
>>>>> tenant_id_attribute = cn
>>>>> tenant_name_attribute = cn
>>>>> tenant_member_attribute = member
>>>>> role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com
>>>>> role_objectclass = posixgroup
>>>>> role_id_attribute = cn
>>>>> role_name_attribute = cn
>>>>> role_member_attribute = member
>>>>> user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com
>>>>> password = mysudopassword
>>>>> suffix = cn=mydomain,cn=com
>>>>> 
>>>>> 
>>>>> [identity]
>>>>> driver = keystone.identity.backends.ldap.Identity
>>>>> 
>>>>> It seems that keystone LDAP requires role nodes the children of tenant nodes. But FreeIPA has a flat structure.
>>>>> 
>>>>> --
>>>>> 邱剑
>>>>> 美团网技术部系统运维组 - 系统工程师
>>>>> 手机：1381129925
>>>>> 邮件：qiujian@xxxxxxxxxxx
>>>>> 
>>>>> On Sep 22, 2012, at 12:27 PM, 邱剑 wrote:
>>>>> 
>>>>>> Hi, 
>>>>>> 
>>>>>> I was working on using LDAP of FreeIP as backend of Keystone.
>>>>>> 
>>>>>> User and tenants information can be fetched from LDAP. However, I could not figure out how to assign roles to users in specific tenants. I'm wondering whether someone can help?
>>>>>> 
>>>>>> I noticed that Mr. Adam Young had post a blog about this topic:
>>>>>> 
>>>>>> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/
>>>>>> 
>>>>>> However, it did not show how to import roles in LDAP. I'm wondering whether there is any progress about this?
>>>>>> 
>>>>>> Many thanks.
>>>>>> 
>>>>>> keystone in use was the latest master branch on github on Sep 21, 2012.
>>>>>> 
>>>>>> 
>>>>>> Jian Qiu
>>>>>> _______________________________________________
>>>>>> Mailing list: https://launchpad.net/~openstack
>>>>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~openstack
>>>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Huang Shuquan （黄舒泉）
>>>>> Software Institute of Nanjing University Nanjing, P.R.China
>>>>> Mobile: 86 137 7086 4433
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help   : https://help.launchpad.net/ListHelp
>>> 
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>> 
>

References

FreeIPA LDAP + Keystone question: How to assign roles to user?
From: 邱剑, 2012-09-22
Re: FreeIPA LDAP + Keystone question: How to assign roles to user?
From: 邱剑, 2012-09-24
Re: FreeIPA LDAP + Keystone question: How to assign roles to user?
From: spring, 2012-09-24
Re: FreeIPA LDAP + Keystone question: How to assign roles to user?
From: 邱剑, 2012-09-24
Re: FreeIPA LDAP + Keystone question: How to assign roles to user?
From: Adam Young, 2012-09-24
Re: FreeIPA LDAP + Keystone question: How to assign roles to user?
From: 邱剑, 2012-09-25
Re: FreeIPA LDAP + Keystone question: How to assign roles to user?
From: Adam Young, 2012-09-25