[rhos-list] Openstack LDAP/AD integration at CERN
Adam Young
ayoung at redhat.com
Thu Sep 13 13:23:11 UTC 2012
On 09/13/2012 02:17 AM, Jose Castro Leon wrote:
>> That is unfortunate. Would using Organization or Organizational-Unit make more sense? Does organizationalRole need to be put into an attribute instead?
> A simplified view of the schema is the following:
>
> Users
> |
> --> demo_user (user)
>
> Tenants
> |
> --> My Tenant (groupOfNames)
> | @member(demo_user)
> |
> --> member (organizationalRole)
> @roleOccupant (demo_user)
>
> Roles
> |
> --> member (organizationalRole)
>
> In () class of the object
> @ attribute of the object
>
> The role inside the tenant is to describe the users that have that role on an specified tenant. It uses the attribute roleOccupant.
> We tried to maintain the compatibility with the existing LDAP module, so this is why we modified a little bit on the AD schema in order to allow
> an object of class 'organizationalRole' have a superior of a class 'groupOfNames'. This is not allowed by default on AD.
I think you put too much weight on my choice of classes. I would much
prefer to get the setup to work without any Schema changes. I do
appreciate the effort that you went through to make this happen.
This design was a first effort, and it is something that we have to be
mindful of in the future (backwards compatibility) but it should not be
the part that is held fixed. We should instead assume that multiple
organizations are going to have many different schemas, and Keystone
should flex to support them.
>
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
More information about the rhos-list
mailing list