[Rdo-list] RDO with Red Hat IDM
Michael Solberg
msolberg at redhat.com
Thu May 30 21:13:59 UTC 2013
Hi list.
I've spent a day or two now trying to use Red Hat IDM as a backing store
for Keystone in RDO and I'm about to pull my hair out.
I started with Adam Young's blog post here:
http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
Then I watched his Summit video here:
http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa
Then I tried to follow this document:
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
I definitely ran into the domain_id problem described here:
https://lists.launchpad.net/openstack/msg23387.html
I also ran into the issue around the RFC 4519 schema not allowing a
"enabled" attribute. I think I've mitigated this by setting the
"attribute_ignore" settings in keystone.conf.
I've tried tackling the architecture from a few different directions and
I've gotten to the point where I can create roles, create tenants, and
list users in my IDM domain, but not assign roles to users. I think
this is because I'm trying to separate out the tenants and roles from
the users in the directory tree. I don't mind keystone creating objects
in it's own tree, but I don't want it updating user accounts from IDM.
Has anyone gotten this configuration working? I'm willing to wade
through details, but I'm curious if someone else has this working and I
could just replicate their setup.
Michael.
--
Michael Solberg
Principal Architect, Red Hat, Inc.
More information about the dev
mailing list