[Rdo-list] Fwd: RDO with Red Hat IDM
msolberg at redhat.com
Thu Jun 13 19:27:38 UTC 2013
On 05/31/2013 09:51 AM, Michael Solberg wrote:
> On 05/30/2013 08:04 PM, Adam Young wrote:
>> On 05/30/2013 05:58 PM, Dave Neary wrote:
>>> Hi Adam,
>>> Can you have a look at this post on rdo-list and see if you can figure
>>> out what's going wrong, please?
>>> -------- Original Message --------
>>> Subject: [Rdo-list] RDO with Red Hat IDM
>>> Date: Thu, 30 May 2013 17:13:59 -0400
>>> From: Michael Solberg <msolberg at redhat.com>
>>> To: rdo-list at redhat.com
>>> Hi list.
>>> I've spent a day or two now trying to use Red Hat IDM as a backing store
>>> for Keystone in RDO and I'm about to pull my hair out.
>>> I started with Adam Young's blog post here:
>>> Then I watched his Summit video here:
>>> Then I tried to follow this document:
>>> I definitely ran into the domain_id problem described here:
>>> I also ran into the issue around the RFC 4519 schema not allowing a
>>> "enabled" attribute. I think I've mitigated this by setting the
>>> "attribute_ignore" settings in keystone.conf.
>>> I've tried tackling the architecture from a few different directions and
>>> I've gotten to the point where I can create roles, create tenants, and
>>> list users in my IDM domain, but not assign roles to users. I think
>>> this is because I'm trying to separate out the tenants and roles from
>>> the users in the directory tree. I don't mind keystone creating objects
>>> in it's own tree, but I don't want it updating user accounts from IDM.
>> So, you have put projects into their own subtree? Can the LDAP user
>> from Keystone modify that tree?
> Yes - for right now, I'm just using the cn=Directory Manager account. I
> figured I'd work on the ACLs once I got the mappings correct. All of my
> issues so far have been around Keystone trying to create or read objects
> in the tree that don't conform to the standard directory types that we
> ship in IDM (groupOfNames, posixaccount, etc). That's why I was curious
> if someone had a working configuration that I could look at. It looks
> like we've documented using AD upstream, but not IDM.
I figured it out. Is there a good place for me to document this?
More information about the dev