On Tue, Oct 15, 2013 at 12:05 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <[email protected]> wrote: > Hello, > > I have a generic question about the logic now available for LDAP users in > association with bug 1209440. How do you associate a read-only LDAP user with > a domain?
I suppose it depends on your definition of "association"? Users have two significant relationships with domains: A) they can be owned by (namespaced to) a domain B) they can be assigned roles on domains, granting authorization > LDAP users are not entered into the keystone user table so the only way I can > see to associate a user with a domain is to give them a role for the domain > so an entry is built for them in the user_domain_metadata table. Am I correct > or is there something I am missing? This is [B], above. This pattern is identical to that used for projects. > > Regards, > > Mark > > ===================== > > https://bugs.launchpad.net/keystone/+bug/1209440 > > ===================== > > At keystone/identity/backends/ldap.py:230 we allow mapping domain_id of a > user based on the attribute specified in conf.ldap.user_domain_id_attribute > which defaults to 'businessCategory'. > My understanding is that this is no longer required and should no longer be > allowed and indeed in practice it completely overrides any domain information > that is provided in the authentication body. > > ===================== > > commit 668ee718127a9983d4838b868efd44ddf661b533 > Author: Morgan Fainberg <[email protected]> > Date: Thu Sep 19 19:53:02 2013 -0700 > Remove ldap identity domain attribute options > LDAP Identity backend is not domain aware, and therefore does not > need mappings for the domain attributes for user and group. > closes-bug: 1209440 > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
