Thanks for your help. So in this case the uid parameter to user-role-add will be any of the AD attribute that I specify in the keystone.conf file , i.e sAMAccountname? Also I assume that in this case there will be no entries of the user in the local sql users table , nor would any id assigned to individual users by keystone? Also in this case will user-list show all the users in the Active Directory under the user tree?
BTW is there a rpm available for havana keystone release for centOS/RHEL? On Thu, Nov 14, 2013 at 7:07 AM, Dolph Mathews <dolph.math...@gmail.com>wrote: > You can assign roles to users in keystoneclient ($ keystone help > user-role-add) -- the assignment would be persisted in SQL. openstackclient > supports assignments to groups as well if you switch to > --identity-api-version=3 > > On Wed, Nov 13, 2013 at 3:08 PM, Avi L <aviost...@gmail.com> wrote: > >> Oh ok so in this case how does the Active Directory user gets a id , and >> how do you map the user to a role? Is there any example you can point me >> to? >> >> >> On Wed, Nov 13, 2013 at 11:24 AM, Dolph Mathews <dolph.math...@gmail.com >> > wrote: >> >>> Yes, that's the preferred approach in Havana: Users and Groups via >>> LDAP, and everything else via SQL. >>> >>> >>> On Wednesday, November 13, 2013, Avi L wrote: >>> >>>> Hi, >>>> >>>> I understand that the LDAP provider in keystone can be used for >>>> authenticating a user (i.e validate username and password) , and it also >>>> authorize it against roles and tenant. However this requires AD schema >>>> modification. Is it possible to use AD only for authentication and then use >>>> keystone's native database for roles and tenant lookup? The advantage is >>>> that then we don't need to touch the enterprise AD installation. >>>> >>>> Thanks >>>> Al >>>> >>> >>> >>> -- >>> >>> -Dolph >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStackemail@example.com >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStackfirstname.lastname@example.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > > -Dolph > > _______________________________________________ > OpenStack-dev mailing list > OpenStackemail@example.com > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list OpenStackfirstname.lastname@example.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev