On 05/31/2013 09:51 AM, Michael Solberg wrote:
> On 05/30/2013 08:04 PM, Adam Young wrote:
>> On 05/30/2013 05:58 PM, Dave Neary wrote:
>>> Hi Adam,
>>>
>>> Can you have a look at this post on rdo-list and see if you can figure
>>> out what's going wrong, please?
>>>
>>> Thanks!
>>> Dave.
>>>
>>>
>>>
>>> -------- Original Message --------
>>> Subject: [Rdo-list] RDO with Red Hat IDM
>>> Date: Thu, 30 May 2013 17:13:59 -0400
>>> From: Michael Solberg <msolberg(a)redhat.com>
>>> To: rdo-list(a)redhat.com
>>>
>>> Hi list.
>>>
>>> I've spent a day or two now trying to use Red Hat IDM as a backing
>>> store
>>> for Keystone in RDO and I'm about to pull my hair out.
>>>
>>> I started with Adam Young's blog post here:
>>>
http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
>>>
>>> Then I watched his Summit video here:
>>>
http://www.openstack.org/summit/portland-2013/session-videos/presentation...
>>>
>>>
>>>
>>>
>>> Then I tried to follow this document:
>>>
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuri...
>>>
>>>
>>>
>>>
>>> I definitely ran into the domain_id problem described here:
>>>
https://lists.launchpad.net/openstack/msg23387.html
>>>
>>> I also ran into the issue around the RFC 4519 schema not allowing a
>>> "enabled" attribute. I think I've mitigated this by setting
the
>>> "attribute_ignore" settings in keystone.conf.
>>>
>>> I've tried tackling the architecture from a few different directions
>>> and
>>> I've gotten to the point where I can create roles, create tenants, and
>>> list users in my IDM domain, but not assign roles to users. I think
>>> this is because I'm trying to separate out the tenants and roles from
>>> the users in the directory tree. I don't mind keystone creating
>>> objects
>>> in it's own tree, but I don't want it updating user accounts from
IDM.
>>
>> So, you have put projects into their own subtree? Can the LDAP user
>> from Keystone modify that tree?
>
> Yes - for right now, I'm just using the cn=Directory Manager account. I
> figured I'd work on the ACLs once I got the mappings correct. All of my
> issues so far have been around Keystone trying to create or read objects
> in the tree that don't conform to the standard directory types that we
> ship in IDM (groupOfNames, posixaccount, etc). That's why I was curious
> if someone had a working configuration that I could look at. It looks
> like we've documented using AD upstream, but not IDM.
I figured it out. Is there a good place for me to document this?
Thanks.
Michael.
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
--
Dave Neary - Community Action and Impact
Open Source and Standards, Red Hat -