Thanks for your help. So in this case the uid parameter to user-role-add
will be any of the AD attribute that I specify in the keystone.conf file ,
i.e sAMAccountname? Also I assume that in this case there will be no
entries of the user in the local sql users table , nor would any id
assigned to individual users by keystone?  Also in this case will user-list
show all the users in the Active Directory under the user tree?

BTW is there a rpm available for havana keystone release for centOS/RHEL?


On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.math...@gmail.com>wrote:

> You can assign roles to users in keystoneclient ($ keystone help
> user-role-add) -- the assignment would be persisted in SQL. openstackclient
> supports assignments to groups as well if you switch to
> --identity-api-version=3
>
> On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviost...@gmail.com> wrote:
>
>> Oh ok so in this case how does the Active Directory user gets a id , and
>> how do you map the user to a role? Is there any example you can point me
>> to?
>>
>>
>>  On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <dolph.math...@gmail.com
>> > wrote:
>>
>>>  Yes, that's the preferred approach in Havana: Users and Groups via
>>> LDAP, and everything else via SQL.
>>>
>>>
>>> On Wednesday, November 13, 2013, Avi L wrote:
>>>
>>>> Hi,
>>>>
>>>> I understand that the LDAP provider in keystone can be used for
>>>> authenticating a user (i.e validate username and password) , and it also
>>>> authorize it against roles and tenant. However this requires AD schema
>>>> modification. Is it possible to use AD only for authentication and then use
>>>> keystone's native database for roles and tenant lookup? The advantage is
>>>> that then we don't need to touch the enterprise AD installation.
>>>>
>>>> Thanks
>>>> Al
>>>>
>>>
>>>
>>> --
>>>
>>> -Dolph
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev@lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
>
> -Dolph
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to