Yes, that's the preferred approach in Havana: Users and Groups via LDAP, and everything else via SQL.
On Wednesday, November 13, 2013, Avi L wrote: > Hi, > > I understand that the LDAP provider in keystone can be used for > authenticating a user (i.e validate username and password) , and it also > authorize it against roles and tenant. However this requires AD schema > modification. Is it possible to use AD only for authentication and then use > keystone's native database for roles and tenant lookup? The advantage is > that then we don't need to touch the enterprise AD installation. > > Thanks > Al > -- -Dolph
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev