On 05/28/2014 05:57 AM, Tizy Ninan wrote:
Hi,
Thanks for the reply.
I am still not successful in integrating keystone with active
directory. Can you please provide some clarifications related to the
following questions.
1. Currently, my active directory schema does not have
projects/tenants and roles OU. Is it necessary that I need to create
projects/tenants and roles OU in the active directory schema for the
keystone to authenticate to active directory.?
No. Set the Assignment driver to SQL, not LDAP.
2. We added values to the user_tree_dn.Does the tenant_tree_dn and
role_tree_dn and group_tree_dn fields needs to be filled in for
authenticating?
No, tenant values are used for assignment, and you should not be doing
assignments in AD. THose go into SQL.
3.How does the mapping of a user to a project/tenant and role will be
done if I try to use active directory to authenticate only the users
and use the already existing projects and roles tables in the mysql
database?
You need a role assignment, based either on the userid or on a groupid
that the user is in. These are stored in the assignment backend.
Kindly provide me some insight into these questions.
Thanks,
Tizy
On Tue, May 20, 2014 at 8:27 AM, Adam Young <[email protected]
<mailto:[email protected]>> wrote:
On 05/16/2014 05:08 AM, Tizy Ninan wrote:
Hi,
We have an openstack Havana deployment on CentOS 6.4 and
nova-network network service installed using Mirantis Fuel v4.0.
We are trying to integrate the openstack setup with the Microsoft
Active Directory(LDAP server). I only have a read access to the
LDAP server.
What will be the minimum changes needed to be made under the
[ldap] tag in keystone.conf file?Can you please specify what
variables need to be set and what should be the values for each
variable?
[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com
# Maximum results per page; a value of zero ('0') disables paging
(default)
# page_size = 0
# The LDAP dereferencing option for queries. This can be either
'never',
# 'searching', 'always', 'finding' or 'default'. The 'default'
option falls
# back to using default dereferencing configured by your ldap.conf.
# alias_dereferencing = default
# The LDAP scope for queries, this can be either 'one'
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
# query_scope = one
# user_tree_dn = ou=Users,dc=example,dc=com
# user_filter =
# user_objectclass = inetOrgPerson
# user_id_attribute = cn
# user_name_attribute = sn
# user_mail_attribute = email
# user_pass_attribute = userPassword
# user_enabled_attribute = enabled
# user_enabled_mask = 0
# user_enabled_default = True
# user_attribute_ignore = default_project_id,tenants
# user_default_project_id_attribute =
# user_allow_create = True
# user_allow_update = True
# user_allow_delete = True
# user_enabled_emulation = False
# user_enabled_emulation_dn =
# tenant_tree_dn = ou=Projects,dc=example,dc=com
# tenant_filter =
# tenant_objectclass = groupOfNames
# tenant_domain_id_attribute = businessCategory
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou
# tenant_desc_attribute = desc
# tenant_enabled_attribute = enabled
# tenant_attribute_ignore =
# tenant_allow_create = True
# tenant_allow_update = True
# tenant_allow_delete = True
# tenant_enabled_emulation = False
# tenant_enabled_emulation_dn =
# role_tree_dn = ou=Roles,dc=example,dc=com
# role_filter =
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_name_attribute = ou
# role_member_attribute = roleOccupant
# role_attribute_ignore =
# role_allow_create = True
# role_allow_update = True
# role_allow_delete = True
# group_tree_dn =
# group_filter =
# group_objectclass = groupOfNames
# group_id_attribute = cn
# group_name_attribute = ou
# group_member_attribute = member
# group_desc_attribute = desc
# group_attribute_ignore =
# group_allow_create = True
# group_allow_update = True
# group_allow_delete = True
Kindly help us to resolve the issue.
Thanks,
Tizy
_______________________________________________
OpenStack-dev mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
http://www.youtube.com/watch?v=w3Yjlmb_68g
_______________________________________________
OpenStack-dev mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
