[Rdo-list] Fwd: RDO with Red Hat IDM

Michael Solberg msolberg at redhat.com
Thu Jun 13 19:27:38 UTC 2013 

On 05/31/2013 09:51 AM, Michael Solberg wrote:
> On 05/30/2013 08:04 PM, Adam Young wrote:
>> On 05/30/2013 05:58 PM, Dave Neary wrote:
>>> Hi Adam,
>>>
>>> Can you have a look at this post on rdo-list and see if you can figure
>>> out what's going wrong, please?
>>>
>>> Thanks!
>>> Dave.
>>>
>>>
>>>
>>> -------- Original Message --------
>>> Subject: [Rdo-list] RDO with Red Hat IDM
>>> Date: Thu, 30 May 2013 17:13:59 -0400
>>> From: Michael Solberg <msolberg at redhat.com>
>>> To: rdo-list at redhat.com
>>>
>>> Hi list.
>>>
>>> I've spent a day or two now trying to use Red Hat IDM as a backing store
>>> for Keystone in RDO and I'm about to pull my hair out.
>>>
>>> I started with Adam Young's blog post here:
>>> http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
>>>
>>> Then I watched his Summit video here:
>>> http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa
>>>
>>>
>>>
>>> Then I tried to follow this document:
>>> http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
>>>
>>>
>>>
>>> I definitely ran into the domain_id problem described here:
>>> https://lists.launchpad.net/openstack/msg23387.html
>>>
>>> I also ran into the issue around the RFC 4519 schema not allowing a
>>> "enabled" attribute.  I think I've mitigated this by setting the
>>> "attribute_ignore" settings in keystone.conf.
>>>
>>> I've tried tackling the architecture from a few different directions and
>>> I've gotten to the point where I can create roles, create tenants, and
>>> list users in my IDM domain, but not assign roles to users.  I think
>>> this is because I'm trying to separate out the tenants and roles from
>>> the users in the directory tree.  I don't mind keystone creating objects
>>> in it's own tree, but I don't want it updating user accounts from IDM.
>>
>> So,  you have put projects into their own subtree?  Can the LDAP user
>> from Keystone modify that tree?
>
> Yes - for right now, I'm just using the cn=Directory Manager account.  I
> figured I'd work on the ACLs once I got the mappings correct.  All of my
> issues so far have been around Keystone trying to create or read objects
> in the tree that don't conform to the standard directory types that we
> ship in IDM (groupOfNames, posixaccount, etc).  That's why I was curious
> if someone had a working configuration that I could look at.  It looks
> like we've documented using AD upstream, but not IDM.

I figured it out.  Is there a good place for me to document this?

Thanks.

Michael.

More information about the dev mailing list