[Rdo-list] Fwd: RDO with Red Hat IDM

Fri May 31 13:51:53 UTC 2013

On 05/30/2013 08:04 PM, Adam Young wrote:
> On 05/30/2013 05:58 PM, Dave Neary wrote:
>> Hi Adam,
>>
>> Can you have a look at this post on rdo-list and see if you can figure
>> out what's going wrong, please?
>>
>> Thanks!
>> Dave.
>>
>>
>>
>> -------- Original Message --------
>> Subject: [Rdo-list] RDO with Red Hat IDM
>> Date: Thu, 30 May 2013 17:13:59 -0400
>> From: Michael Solberg <msolberg at redhat.com>
>> To: rdo-list at redhat.com
>>
>> Hi list.
>>
>> I've spent a day or two now trying to use Red Hat IDM as a backing store
>> for Keystone in RDO and I'm about to pull my hair out.
>>
>> I started with Adam Young's blog post here:
>> http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
>>
>> Then I watched his Summit video here:
>> http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa
>>
>>
>> Then I tried to follow this document:
>> http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
>>
>>
>> I definitely ran into the domain_id problem described here:
>> https://lists.launchpad.net/openstack/msg23387.html
>>
>> I also ran into the issue around the RFC 4519 schema not allowing a
>> "enabled" attribute.  I think I've mitigated this by setting the
>> "attribute_ignore" settings in keystone.conf.
>>
>> I've tried tackling the architecture from a few different directions and
>> I've gotten to the point where I can create roles, create tenants, and
>> list users in my IDM domain, but not assign roles to users.  I think
>> this is because I'm trying to separate out the tenants and roles from
>> the users in the directory tree.  I don't mind keystone creating objects
>> in it's own tree, but I don't want it updating user accounts from IDM.
>
> So,  you have put projects into their own subtree?  Can the LDAP user
> from Keystone modify that tree?

Yes - for right now, I'm just using the cn=Directory Manager account.  I 
figured I'd work on the ACLs once I got the mappings correct.  All of my 
issues so far have been around Keystone trying to create or read objects 
in the tree that don't conform to the standard directory types that we 
ship in IDM (groupOfNames, posixaccount, etc).  That's why I was curious 
if someone had a working configuration that I could look at.  It looks 
like we've documented using AD upstream, but not IDM.

I think what I want is something like this:

user_tree_dn = cn=users,cn=accounts,dc=atl,dc=salab,dc=redhat,dc=com
user_objectclass = person
user_domain_id_attribute = businessCategory
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = email
user_pass_attribute = userPassword
user_attribute_ignore = enabled
user_allow_create = False
user_allow_update = False
user_allow_delete = False
(This is the IDM-managed list of users)

tenant_tree_dn = ou=tenants,cn=openstack,dc=atl,dc=salab,dc=redhat,dc=com
tenant_attribute_ignore = enabled
(This is the Keystone-managed list of tenants)

role_tree_dn = ou=roles,cn=openstack,dc=atl,dc=salab,dc=redhat,dc=com
role_attribute_ignore = enabled
(This is the Keystone-managed list of roles)

> I would think you would want to make user that has ACLs set up
> permitting them to make modifications to that tree, but not to add
> users.  Configure Keystone to use that user to talk to LDAP.

Yep.  Once I figure out what a working configuration looks like, I was 
going to go down the that road.

Michael.