Re: [Openstack] [OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?

Kuo Hugo Tue, 22 May 2012 17:39:58 -0700

Thanks for your quick reply .

I'll review the necessary of subtree query .


It's really depends on user's demand. I did some more research of AD or
LDAP structure design.

I found that if an enterprise has an existing AD server and the structure
as follow

dc=foo,dc=com
   |__OU-HR
   |         |_cn:hr-user1
   |         |_cn:hr-user2
   |         |_cn:hr-user3
   |
   |__OU-IT
             |_cn:it-user1
             |_cn:it-user2
             |_cn:it-user3

For such LDAP structure , only HR or IT users cound be validated .

Is there any exist approach within LDAP to  import users from an OU to
another OU like below's diagram


dc=foo,dc=com
   |__OU-HR
   |         |_cn:hr-user1
   |         |_cn:hr-user2
   |         |_cn:hr-user3
   |
   |__OU-IT
   |         |_cn:it-user1
   |         |_cn:it-user2
   |         |_cn:it-user3
   |
   |
   |__OU-Keystone-Users
                    |_cn:it-user1
                    |_cn:hr-user1

If so , I can specify user_tree_dn to ou=OU-Keystone-Users .
any suggestions ?

Cheers


2012/5/22 Adam Young <ayo...@redhat.com>

>  On 05/22/2012 07:07 AM, Kuo Hugo wrote:
>
> Hi Folks ,
>
>  I have try with keystone backend by LDAP and Windows AD.
>
>  It looks fine . Just want to clarify one point.
>
>  For my test result , LDAP driver could only validate users in the
> particular container (OU,CN etc.)  and does not include the subtree users.
>
>  [ldap]
>  tree_dn = dc=taiwan,dc=com
> user_tree_dn = ou=foo,dc=taiwan,dc=com
>
>
>  For example ....
>                 User1 :  cn=jeremy,ou=foo,dc=taiwan,dc=com
>
>                  User2 :  cn=jordan,ou=bar,ou=foo,dc=taiwan,dc=com
>
> User1 could be validated , and get the token generated by keystone.
> User2 could not be validated
>
>
>  Is there any way to validate both User1 and User2  in current design ?
>
>
> No, there is not.  Queries are not done against subtrees.
>
> If this is important to you,  please file a ticket:
> https://bugs.launchpad.net/keystone/+filebug
>
>
>
>
>
>  --
> +Hugo Kuo+
> tonyt...@gmail.com
>  + <tonyt...@gmail.com>886 935004793
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
+Hugo Kuo+
tonyt...@gmail.com
+ <tonyt...@gmail.com>886 935004793

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [OpenStack][Keystone][LDAP] Does LDAP driver support for validating subtree user?

Reply via email to