openstack team mailing list archive

[Brad Topol <btopol@xxxxxxxxxx>]

Hi Marcelo,

In the latest version of devstack there is an option that will install and 
configure LDAP and show it working with domains configured to map to a 
businessCategory attribute.   This mapping approach was a stopgap measure 
and was not ideal.  At the summit we will be discussing what should be the 
best approach to map domains to LDAP directories.   But for now to see 
things working please use devstack and try the options below:

>From http://devstack.org/stack.sh.html:


Keystone








Keystone can now optionally install OpenLDAP by adding ldap to the list of 
enabled services in the localrc file (e.g. ENABLED_SERVICES=key,ldap). If 
OpenLDAP has already been installed but you need to clear out the Keystone 
contents of LDAP set KEYSTONE_CLEAR_LDAP to yes (e.g. 
KEYSTONE_CLEAR_LDAP=yes ) in the localrc file. To enable the Keystone 
Identity Driver (keystone.identity.backends.ldap.Identity) set 
KEYSTONE_IDENTITY_BACKEND to ldap (e.g. KEYSTONE_IDENTITY_BACKEND=ldap) in 
the localrc file.





Thanks,

Brad

Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet:  btopol@xxxxxxxxxx
Assistant: Cindy Willman (919) 268-5296



From:   Marcelo Mariano Miziara <marcelo.miziara@xxxxxxxxxxxxx>
To:     openstack@xxxxxxxxxxxxxxxxxxx
Date:   04/04/2013 09:07 AM
Subject:        [Openstack] New schema for LDAP + Keystone Grizzly?
Sent by:        openstack-bounces+btopol=us.ibm.com@xxxxxxxxxxxxxxxxxxx



Hello to all!

Before the release of version grizzly 3, the suggested schema in the 
openstack documentation (
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
) worked fine. This is the suggested schema:
dn: cn=openstack,cn=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack

dn: ou=Groups,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: roles
But after the release of the version grizzly 3 I think that's not enough 
anymore, mainly because of the "domain" concept.

I'm kind of lost trying to make LDAP work with keystone now...does anyone 
succeed in this? 

I created a new dn, something like:
dn: ou=Domains,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: Domains
But when I run the "keystone-manage db_sync" the "default" domain isn't 
created in the LDAP...When I manually create the domain in there, I have a 
problem with authentication...

I think I must be doing something wrong, does anyone have a light?

Thanks in advance,
Marcelo M. Miziara 
marcelo.miziara@xxxxxxxxxxxxx 
-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), 
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é 
enviada exclusivamente a seu destinatário e pode conter informações 
confidenciais, protegidas por sigilo profissional. Sua utilização 
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a 
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, 
esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a 
government company established under Brazilian law (5.615/70) -- is 
directed exclusively to its addressee and may contain confidential data, 
protected under professional secrecy rules. Its unauthorized use is 
illegal and may subject the transgressor to the law's penalties. If you're 
not the addressee, please send it back, elucidating the failure."
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp