[rhos-list] Openstack LDAP/AD integration at CERN

Haller, John H (John) john.haller at alcatel-lucent.com
Wed Sep 12 15:58:56 UTC 2012 

You are best off working directly with the upstream project, at http://www.openstack.org
They have a good wiki page on how to contribute here: http://wiki.openstack.org/HowToContribute

After dealing with contributor agreements and Launchpad accounts, this probably needs a Blueprint (feature) to be created/approved.

Regards,
John Haller

From: rhos-list-bounces at redhat.com [mailto:rhos-list-bounces at redhat.com] On Behalf Of Jose Castro Leon
Sent: Wednesday, September 12, 2012 10:03 AM
To: rhos-list at redhat.com
Cc: Peter Pouliot (ppouliot at microsoft.com); joe.heck at nebula.com
Subject: [rhos-list] Openstack LDAP/AD integration at CERN

Hi,
During last days, I had a look on the LDAP module to try to make it work with AD, in order to see if there is any missing part that we could contribute.
Here at CERN the identity management is heavily based on Active Directory and we are interested in having that feature in Openstack.
With the help of some of my colleagues, I was able to configure the LDAP module in order to make it work with Active Directory.

I saw that there is much more configuration available on Folsom on the LDAP module, that helps a bit but there is some more configuration hardcoded.
We had prepared some patches in order to expose the configuration to keystone.conf while maintaining compatibility with openLDAP

We would like to know how to proceed in order to contribute to the community.

Active Directory

*         Schema is Windows 2008 (Active Directory + Services for Unix)

*         Small change on roleOccupant class (let it have a groupOfNames superior)

List of Patches


1.       Move 'dumb_member ' account to be a configuration parameter

2.       Create configuration attributes for user mapping (name, mail)

3.       Create configuration attributes for tenant mapping (name, description)

4.       Create attribute ignore configuration to specify the attributes that are not mapped with LDAP (user,tenant,role)

5.       Bugfix on get_users(self, tenant_id, role_id=None)
If a user is a member of a tenant and also in a role it appears twice when called

As an additional patch, we can put a filter in all user queries to reduce the amount of data that is returned when the list of users is retrieved.
We have more than 40000 accounts at CERN, and we need something to don't make dashboard and keystone unusable due to the amount of users on
the system.

Kind regards,

Jose Castro Leon
CERN IT-OIS-IN                      tel:    +41.22.76.74272
                                                mob: +41.76.48.79222
                                                fax:    +41.22.76.67955
Office: 31-R-021                  CH-1211      Geneve 23
email: jose.castro.leon at cern.ch<mailto:jose.castro.leon at cern.ch>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhos-list/attachments/20120912/3f1158aa/attachment.htm>

More information about the rhos-list mailing list