Re: [Openstack] Keystone w/ LDAP identity

2014-05-04 Thread Michael Gale
Hello, We had similar requests with wanting AD integration for authentication but not for authorization. We ended up with our own driver: https://bitbucket.org/mgale/openstack-havana/overview Installation instructions are available here: https://bitbucket.org/mgale/openstack-havana/src/78f82

Re: [Openstack] Keystone w/ LDAP identity

2014-05-02 Thread Jasper Capel
No, we didn’t do anything with custom drivers. We implemented the pipeline solution referred to in this document: http://docs.openstack.org/developer/keystone/external-auth.html Jasper On 02 May 2014, at 15:00, Michael Hearn wrote: > Jasper > Are you alluding to the hybrid drivers as discusse

Re: [Openstack] Keystone w/ LDAP identity

2014-05-02 Thread Adam Young
So, here is the direction we are going: Federation allows us to remove the need to have a Backend LDAP driver at all. Instead, we at Red Hat are planning on build solutions around using mod_identity_lookup and sssd. The Keystone server machine will be configured with LDAP PAM and nsswitch m

Re: [Openstack] Keystone w/ LDAP identity

2014-05-02 Thread Michael Hearn
Jasper Are you alluding to the hybrid drivers as discussed & avail via http://www.mattfischer.com/blog/?tag=openstack-2 ~Mike. On Thu, May 1, 2014 at 11:17 PM, Lillie Ross-CDSR11 < ross.lil...@motorolasolutions.com> wrote: > I’ve been playing with using LDAP authentication (identity) and SQL >

Re: [Openstack] Keystone w/ LDAP identity

2014-05-02 Thread Jasper Capel
We ran into a similar issues, wanting to authenticate our corporate users against the company AD, but keeping our services accounts separate. We ended up writing a little piece of Keystone middleware that sits on the Keystone request pipeline. It will attempt to authenticate the user against our

Re: [Openstack] Keystone w/ LDAP identity

2014-05-01 Thread Adam Young
On 05/01/2014 06:17 PM, Lillie Ross-CDSR11 wrote: I've been playing with using LDAP authentication (identity) and SQL authorization (assignment) within Keystone in the current devstack release running in a single VM. The problem with this setup, as I understand it, is the need to have LDAP en

[Openstack] Keystone w/ LDAP identity

2014-05-01 Thread Lillie Ross-CDSR11
I’ve been playing with using LDAP authentication (identity) and SQL authorization (assignment) within Keystone in the current devstack release running in a single VM. The problem with this setup, as I understand it, is the need to have LDAP entries for each service user (i.e. nova, glance, etc.