openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #22556
Re: New schema for LDAP + Keystone Grizzly?
Hi Marcelo,
In the latest version of devstack there is an option that will install and
configure LDAP and show it working with domains configured to map to a
businessCategory attribute. This mapping approach was a stopgap measure
and was not ideal. At the summit we will be discussing what should be the
best approach to map domains to LDAP directories. But for now to see
things working please use devstack and try the options below:
>From http://devstack.org/stack.sh.html:
Keystone
Keystone can now optionally install OpenLDAP by adding ldap to the list of
enabled services in the localrc file (e.g. ENABLED_SERVICES=key,ldap). If
OpenLDAP has already been installed but you need to clear out the Keystone
contents of LDAP set KEYSTONE_CLEAR_LDAP to yes (e.g.
KEYSTONE_CLEAR_LDAP=yes ) in the localrc file. To enable the Keystone
Identity Driver (keystone.identity.backends.ldap.Identity) set
KEYSTONE_IDENTITY_BACKEND to ldap (e.g. KEYSTONE_IDENTITY_BACKEND=ldap) in
the localrc file.
Thanks,
Brad
Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet: btopol@xxxxxxxxxx
Assistant: Cindy Willman (919) 268-5296
From: Marcelo Mariano Miziara <marcelo.miziara@xxxxxxxxxxxxx>
To: openstack@xxxxxxxxxxxxxxxxxxx
Date: 04/04/2013 09:07 AM
Subject: [Openstack] New schema for LDAP + Keystone Grizzly?
Sent by: openstack-bounces+btopol=us.ibm.com@xxxxxxxxxxxxxxxxxxx
Hello to all!
Before the release of version grizzly 3, the suggested schema in the
openstack documentation (
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
) worked fine. This is the suggested schema:
dn: cn=openstack,cn=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack
dn: ou=Groups,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=Users,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=Roles,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: roles
But after the release of the version grizzly 3 I think that's not enough
anymore, mainly because of the "domain" concept.
I'm kind of lost trying to make LDAP work with keystone now...does anyone
succeed in this?
I created a new dn, something like:
dn: ou=Domains,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: Domains
But when I run the "keystone-manage db_sync" the "default" domain isn't
created in the LDAP...When I manually create the domain in there, I have a
problem with authentication...
I think I must be doing something wrong, does anyone have a light?
Thanks in advance,
Marcelo M. Miziara
marcelo.miziara@xxxxxxxxxxxxx
-
"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
enviada exclusivamente a seu destinatário e pode conter informações
confidenciais, protegidas por sigilo profissional. Sua utilização
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."
"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a
government company established under Brazilian law (5.615/70) -- is
directed exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is
illegal and may subject the transgressor to the law's penalties. If you're
not the addressee, please send it back, elucidating the failure."
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
References