[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Rdo-list] Fwd: RDO with Red Hat IDM



On 05/31/2013 09:51 AM, Michael Solberg wrote:
On 05/30/2013 08:04 PM, Adam Young wrote:
On 05/30/2013 05:58 PM, Dave Neary wrote:
Hi Adam,

Can you have a look at this post on rdo-list and see if you can figure
out what's going wrong, please?

Thanks!
Dave.



-------- Original Message --------
Subject: [Rdo-list] RDO with Red Hat IDM
Date: Thu, 30 May 2013 17:13:59 -0400
From: Michael Solberg <msolberg redhat com>
To: rdo-list redhat com

Hi list.

I've spent a day or two now trying to use Red Hat IDM as a backing store
for Keystone in RDO and I'm about to pull my hair out.

I started with Adam Young's blog post here:
http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/

Then I watched his Summit video here:
http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa



Then I tried to follow this document:
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html



I definitely ran into the domain_id problem described here:
https://lists.launchpad.net/openstack/msg23387.html

I also ran into the issue around the RFC 4519 schema not allowing a
"enabled" attribute.  I think I've mitigated this by setting the
"attribute_ignore" settings in keystone.conf.

I've tried tackling the architecture from a few different directions and
I've gotten to the point where I can create roles, create tenants, and
list users in my IDM domain, but not assign roles to users.  I think
this is because I'm trying to separate out the tenants and roles from
the users in the directory tree.  I don't mind keystone creating objects
in it's own tree, but I don't want it updating user accounts from IDM.

So,  you have put projects into their own subtree?  Can the LDAP user
from Keystone modify that tree?

Yes - for right now, I'm just using the cn=Directory Manager account.  I
figured I'd work on the ACLs once I got the mappings correct.  All of my
issues so far have been around Keystone trying to create or read objects
in the tree that don't conform to the standard directory types that we
ship in IDM (groupOfNames, posixaccount, etc).  That's why I was curious
if someone had a working configuration that I could look at.  It looks
like we've documented using AD upstream, but not IDM.

I figured it out.  Is there a good place for me to document this?

Thanks.

Michael.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]