No, we didn’t do anything with custom drivers. We implemented the pipeline solution referred to in this document:
http://docs.openstack.org/developer/keystone/external-auth.html Jasper On 02 May 2014, at 15:00, Michael Hearn <mrhe...@gmail.com> wrote: > Jasper > Are you alluding to the hybrid drivers as discussed & avail via > http://www.mattfischer.com/blog/?tag=openstack-2 > > ~Mike. > > On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 > <ross.lil...@motorolasolutions.com> wrote: > I’ve been playing with using LDAP authentication (identity) and SQL > authorization (assignment) within Keystone in the current devstack release > running in a single VM. > > The problem with this setup, as I understand it, is the need to have LDAP > entries for each service user (i.e. nova, glance, etc.). In our environment, > this isn’t possible as our corporate LDAP directory is solely for employee > records. While I could work around this issue by running each service under > a known LDAP employee record - this seems rather a kludge to me. > > My question is, and admittedly I’m not well versed in directory federation, > is this an issue that could be resolved once directory federation is stable > in the next Openstack release? Where, for instance, all of the openstack > service accounts could remain in a separate directory service controlled > solely by the cloud owner/admin, while user’s could then be authenticated via > the corporate employee LDAP database? > > We’d love to use LDAP to authenticate cloud user’s, but with the need to also > authenticate openstack services against the same LDAP backend makes the use > of LDAP unviable in our environment. > > This has probably been discussed previously, but any insight would be > helpful. > > Thanks and regards, > Ross > -- > Ross Lillie > Distinguished Member of Technical Staff > Motorola Solutions, Inc. > > motorolasolutions.com > O: +1.847.576.0012 > M: +1.847.980.2241 > E: ross.lil...@motorolasolutions.com > > > <MSI-Email-Identity-sm.png> > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
