You can assign roles to users in keystoneclient ($ keystone help user-role-add) -- the assignment would be persisted in SQL. openstackclient supports assignments to groups as well if you switch to --identity-api-version=3
On Wed, Nov 13, 2013 at 3:08 PM, Avi L <[email protected]> wrote: > Oh ok so in this case how does the Active Directory user gets a id , and > how do you map the user to a role? Is there any example you can point me > to? > > > On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews > <[email protected]>wrote: > >> Yes, that's the preferred approach in Havana: Users and Groups via LDAP, >> and everything else via SQL. >> >> >> On Wednesday, November 13, 2013, Avi L wrote: >> >>> Hi, >>> >>> I understand that the LDAP provider in keystone can be used for >>> authenticating a user (i.e validate username and password) , and it also >>> authorize it against roles and tenant. However this requires AD schema >>> modification. Is it possible to use AD only for authentication and then use >>> keystone's native database for roles and tenant lookup? The advantage is >>> that then we don't need to touch the enterprise AD installation. >>> >>> Thanks >>> Al >>> >> >> >> -- >> >> -Dolph >> >> _______________________________________________ >> OpenStack-dev mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Dolph
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
