[Rdo-list] RDO with Red Hat IDM

Michael Solberg msolberg at redhat.com
Thu May 30 21:13:59 UTC 2013

Hi list.

I've spent a day or two now trying to use Red Hat IDM as a backing store 
for Keystone in RDO and I'm about to pull my hair out.

I started with Adam Young's blog post here:

Then I watched his Summit video here:

Then I tried to follow this document:

I definitely ran into the domain_id problem described here:

I also ran into the issue around the RFC 4519 schema not allowing a 
"enabled" attribute.  I think I've mitigated this by setting the 
"attribute_ignore" settings in keystone.conf.

I've tried tackling the architecture from a few different directions and 
I've gotten to the point where I can create roles, create tenants, and 
list users in my IDM domain, but not assign roles to users.  I think 
this is because I'm trying to separate out the tenants and roles from 
the users in the directory tree.  I don't mind keystone creating objects 
in it's own tree, but I don't want it updating user accounts from IDM.

Has anyone gotten this configuration working?  I'm willing to wade 
through details, but I'm curious if someone else has this working and I 
could just replicate their setup.


Michael Solberg
Principal Architect, Red Hat, Inc.

More information about the dev mailing list