openstack team mailing list archive

Thread
Date

Re: New schema for LDAP + Keystone Grizzly?

To: Marcelo Mariano Miziara <marcelo.miziara@xxxxxxxxxxxxx>
From: spzala@xxxxxxxxxxxxxxxxxx
Date: Wed, 17 Apr 2013 16:12:46 -0400
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <a96503fd6305db9f850db2a7b620c0c0@10.30.202.55>
User-agent: Internet Messaging Program (IMP) H4 (5.0.22)

Hi Marcelo,

There is an open bug for a similar problem. I have found a workaround
that, you need to create an entry manually for default domain in your
tree under the new dn (ou=Domains) you have created. Something like,
dn: cn=default,ou=Domains,dc=openstack,dc=org
objectClass: groupOfNames
description: some description
ou: Default
member: cn=dumb,dc=nonexistent
cn: default

Hopefully this will take care of the problem.

Thanks!

Regards,
Sahdev Zala
IBM SWG



Quoting Marcelo Mariano Miziara <marcelo.miziara@xxxxxxxxxxxxx>:

Hello to all!

Before the release of version grizzly 3, the suggested schema in the
openstack documentation
(http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html)
worked fine. This is the suggested schema:
dn: cn=openstack,cn=org dc: openstack objectClass: dcObject objectClass:
organizationalUnit ou: openstack  dn: ou=Groups,cn=openstack,cn=org
objectClass: top objectClass: organizationalUnit ou: groups  dn:
ou=Users,cn=openstack,cn=org objectClass: top objectClass:
organizationalUnit ou: users  dn: ou=Roles,cn=openstack,cn=org objectClass:
top objectClass: organizationalUnit ou: rolesBut after the release of the
version grizzly 3 I think that's not enough anymore, mainly because of the
"domain" concept.

I'm kind of lost trying to make LDAP work with keystone now...does anyone
succeed in this?

I created a new dn, something like:
dn: ou=Domains,cn=openstack,cn=org objectClass: top objectClass:
organizationalUnit ou: DomainsBut when I run the "keystone-manage db_sync"
the "default" domain isn't created in the LDAP...When I manually create the
domain in there, I have a problem with authentication...

I think I must be doing something wrong, does anyone have a light?

Thanks in advance,
Marcelo M. Miziara
marcelo.miziara@xxxxxxxxxxxxx  -

 "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO),
empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é
enviada exclusivamente a seu destinatário e pode conter informações
confidenciais, protegidas por sigilo profissional. Sua utilização
desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a
recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente,
esclarecendo o equívoco."

 "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) --
a government company established under Brazilian law (5.615/70) -- is
directed exclusively to its addressee and may contain confidential data,
protected under professional secrecy rules. Its unauthorized use is illegal
and may subject the transgressor to the law's penalties. If you're not the
addressee, please send it back, elucidating the failure."

References

New schema for LDAP + Keystone Grizzly?
From: Marcelo Mariano Miziara, 2013-04-04