[Rdo-list] Fwd: RDO with Red Hat IDM

Adam Young ayoung at redhat.com
Fri May 31 00:04:12 UTC 2013

On 05/30/2013 05:58 PM, Dave Neary wrote:
> Hi Adam,
> Can you have a look at this post on rdo-list and see if you can figure
> out what's going wrong, please?
> Thanks!
> Dave.
> -------- Original Message --------
> Subject: [Rdo-list] RDO with Red Hat IDM
> Date: Thu, 30 May 2013 17:13:59 -0400
> From: Michael Solberg <msolberg at redhat.com>
> To: rdo-list at redhat.com
> Hi list.
> I've spent a day or two now trying to use Red Hat IDM as a backing store
> for Keystone in RDO and I'm about to pull my hair out.
> I started with Adam Young's blog post here:
> http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
> Then I watched his Summit video here:
> http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa
> Then I tried to follow this document:
> http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
> I definitely ran into the domain_id problem described here:
> https://lists.launchpad.net/openstack/msg23387.html
> I also ran into the issue around the RFC 4519 schema not allowing a
> "enabled" attribute.  I think I've mitigated this by setting the
> "attribute_ignore" settings in keystone.conf.
> I've tried tackling the architecture from a few different directions and
> I've gotten to the point where I can create roles, create tenants, and
> list users in my IDM domain, but not assign roles to users.  I think
> this is because I'm trying to separate out the tenants and roles from
> the users in the directory tree.  I don't mind keystone creating objects
> in it's own tree, but I don't want it updating user accounts from IDM.

So,  you have put projects into their own subtree?  Can the LDAP user 
from Keystone modify that tree?

I would think you would want to make user that has ACLs set up 
permitting them to make modifications to that tree, but not to add 
users.  Configure Keystone to use that user to talk to LDAP.

Assuming you call that user KeystoneManager, you would then set the 
[LDAP] config value for user = KeystoneManager in Keystone Config.

The ACL stuff in IPA is kind of cool.  I did some write ups here:


That should give you an indication of how you want to proceed.

> Has anyone gotten this configuration working?  I'm willing to wade
> through details, but I'm curious if someone else has this working and I
> could just replicate their setup.
> Michael.

More information about the dev mailing list