Thanks. Adam. I saw in your blog "Keystone Roles are not yet implemented."
In order to make OpenStack work, it seems I have to assign "admin" role to some users On Sep 25, 2012, at 11:01 PM, Adam Young wrote: > On 09/24/2012 10:45 PM, 邱剑 wrote: >> >> Thanks. Adam. >> >> Is there any way to configure FreeIPA LDAP to have this structure? > > Yes there is. > > I originally wrote it up here: > > http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/ > > and checked it recently to see if I could do LDAPS (yes I could): > > http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/ > > >> >> Many thanks. >> >> On Sep 24, 2012, at 11:10 PM, Adam Young wrote: >> >>> Role is grouped in the collection under the Tenant, with the userid in the >>> members attribute for that role. >>> >>> >>> >>> On 09/24/2012 03:18 AM, 邱剑 wrote: >>>> >>>> Openstack services need user account with 'admin' role. But I could not >>>> figure out how FreeIPA propagate 'role' into Keystone. >>>> >>>> That's why I'm asking the question in mailing list. >>>> >>>> >>>> On Sep 24, 2012, at 11:30 AM, spring wrote: >>>> >>>>> Thanks qiujian! >>>>> By using this configuration, can we log in through dashboard? If I want >>>>> to implement that, is there any other configuration I have to do? >>>>> >>>>> 2012/9/24 邱剑 <qiuj...@meituan.com> >>>>> BTW, here is my configuration: >>>>> >>>>> [ldap] >>>>> url = ldap://10.64.11.199 >>>>> tree_dn = cn=accounts,dc=mydomain,dc=com >>>>> user_tree_dn = cn=users,cn=accounts,dc=mydomain,dc=com >>>>> user_objectclass = person >>>>> user_name_attribute = uid >>>>> user_id_attribute = uid >>>>> tenant_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com >>>>> tenant_objectclass = posixgroup >>>>> tenant_id_attribute = cn >>>>> tenant_name_attribute = cn >>>>> tenant_member_attribute = member >>>>> role_tree_dn = cn=groups,cn=accounts,dc=mydomain,dc=com >>>>> role_objectclass = posixgroup >>>>> role_id_attribute = cn >>>>> role_name_attribute = cn >>>>> role_member_attribute = member >>>>> user = uid=sudo,cn=sysaccounts,cn=etc,dc=mydomain,dc=com >>>>> password = mysudopassword >>>>> suffix = cn=mydomain,cn=com >>>>> >>>>> >>>>> [identity] >>>>> driver = keystone.identity.backends.ldap.Identity >>>>> >>>>> It seems that keystone LDAP requires role nodes the children of tenant >>>>> nodes. But FreeIPA has a flat structure. >>>>> >>>>> -- >>>>> 邱剑 >>>>> 美团网技术部系统运维组 - 系统工程师 >>>>> 手机:1381129925 >>>>> 邮件:qiuj...@meituan.com >>>>> >>>>> On Sep 22, 2012, at 12:27 PM, 邱剑 wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I was working on using LDAP of FreeIP as backend of Keystone. >>>>>> >>>>>> User and tenants information can be fetched from LDAP. However, I could >>>>>> not figure out how to assign roles to users in specific tenants. I'm >>>>>> wondering whether someone can help? >>>>>> >>>>>> I noticed that Mr. Adam Young had post a blog about this topic: >>>>>> >>>>>> http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/ >>>>>> >>>>>> However, it did not show how to import roles in LDAP. I'm wondering >>>>>> whether there is any progress about this? >>>>>> >>>>>> Many thanks. >>>>>> >>>>>> keystone in use was the latest master branch on github on Sep 21, 2012. >>>>>> >>>>>> >>>>>> Jian Qiu >>>>>> _______________________________________________ >>>>>> Mailing list: https://launchpad.net/~openstack >>>>>> Post to : openstack@lists.launchpad.net >>>>>> Unsubscribe : https://launchpad.net/~openstack >>>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>>> >>>>> _______________________________________________ >>>>> Mailing list: https://launchpad.net/~openstack >>>>> Post to : openstack@lists.launchpad.net >>>>> Unsubscribe : https://launchpad.net/~openstack >>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Huang Shuquan (黄舒泉) >>>>> Software Institute of Nanjing University Nanjing, P.R.China >>>>> Mobile: 86 137 7086 4433 >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~openstack >>>> Post to : openstack@lists.launchpad.net >>>> Unsubscribe : https://launchpad.net/~openstack >>>> More help : https://help.launchpad.net/ListHelp >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~openstack >>> Post to : openstack@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~openstack >>> More help : https://help.launchpad.net/ListHelp >> >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
