[Rdo-list] RDO with Red Hat IDM

Michael Solberg msolberg at redhat.com
Thu May 30 21:13:59 UTC 2013


Hi list.

I've spent a day or two now trying to use Red Hat IDM as a backing store 
for Keystone in RDO and I'm about to pull my hair out.

I started with Adam Young's blog post here:
http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/

Then I watched his Summit video here:
http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa

Then I tried to follow this document:
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html

I definitely ran into the domain_id problem described here:
https://lists.launchpad.net/openstack/msg23387.html

I also ran into the issue around the RFC 4519 schema not allowing a 
"enabled" attribute.  I think I've mitigated this by setting the 
"attribute_ignore" settings in keystone.conf.

I've tried tackling the architecture from a few different directions and 
I've gotten to the point where I can create roles, create tenants, and 
list users in my IDM domain, but not assign roles to users.  I think 
this is because I'm trying to separate out the tenants and roles from 
the users in the directory tree.  I don't mind keystone creating objects 
in it's own tree, but I don't want it updating user accounts from IDM.

Has anyone gotten this configuration working?  I'm willing to wade 
through details, but I'm curious if someone else has this working and I 
could just replicate their setup.

Michael.

-- 
Michael Solberg
Principal Architect, Red Hat, Inc.




More information about the dev mailing list