Hi, Thanks for the reply. I am still not successful in integrating keystone with active directory. Can you please provide some clarifications related to the following questions. 1. Currently, my active directory schema does not have projects/tenants and roles OU. Is it necessary that I need to create projects/tenants and roles OU in the active directory schema for the keystone to authenticate to active directory.? 2. We added values to the user_tree_dn.Does the tenant_tree_dn and role_tree_dn and group_tree_dn fields needs to be filled in for authenticating? 3.How does the mapping of a user to a project/tenant and role will be done if I try to use active directory to authenticate only the users and use the already existing projects and roles tables in the mysql database?
Kindly provide me some insight into these questions. Thanks, Tizy On Tue, May 20, 2014 at 8:27 AM, Adam Young <[email protected]> wrote: > On 05/16/2014 05:08 AM, Tizy Ninan wrote: > > Hi, > > We have an openstack Havana deployment on CentOS 6.4 and nova-network > network service installed using Mirantis Fuel v4.0. > We are trying to integrate the openstack setup with the Microsoft Active > Directory(LDAP server). I only have a read access to the LDAP server. > What will be the minimum changes needed to be made under the [ldap] tag in > keystone.conf file?Can you please specify what variables need to be set and > what should be the values for each variable? > > [ldap] > # url = ldap://localhost > # user = dc=Manager,dc=example,dc=com > # password = None > # suffix = cn=example,cn=com > # use_dumb_member = False > # allow_subtree_delete = False > # dumb_member = cn=dumb,dc=example,dc=com > > # Maximum results per page; a value of zero ('0') disables paging > (default) > # page_size = 0 > > # The LDAP dereferencing option for queries. This can be either 'never', > # 'searching', 'always', 'finding' or 'default'. The 'default' option falls > # back to using default dereferencing configured by your ldap.conf. > # alias_dereferencing = default > > # The LDAP scope for queries, this can be either 'one' > # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree) > # query_scope = one > > # user_tree_dn = ou=Users,dc=example,dc=com > # user_filter = > # user_objectclass = inetOrgPerson > # user_id_attribute = cn > # user_name_attribute = sn > # user_mail_attribute = email > # user_pass_attribute = userPassword > # user_enabled_attribute = enabled > # user_enabled_mask = 0 > # user_enabled_default = True > # user_attribute_ignore = default_project_id,tenants > # user_default_project_id_attribute = > # user_allow_create = True > # user_allow_update = True > # user_allow_delete = True > # user_enabled_emulation = False > # user_enabled_emulation_dn = > > # tenant_tree_dn = ou=Projects,dc=example,dc=com > # tenant_filter = > # tenant_objectclass = groupOfNames > # tenant_domain_id_attribute = businessCategory > # tenant_id_attribute = cn > # tenant_member_attribute = member > # tenant_name_attribute = ou > # tenant_desc_attribute = desc > # tenant_enabled_attribute = enabled > # tenant_attribute_ignore = > # tenant_allow_create = True > # tenant_allow_update = True > # tenant_allow_delete = True > # tenant_enabled_emulation = False > # tenant_enabled_emulation_dn = > > # role_tree_dn = ou=Roles,dc=example,dc=com > # role_filter = > # role_objectclass = organizationalRole > # role_id_attribute = cn > # role_name_attribute = ou > # role_member_attribute = roleOccupant > # role_attribute_ignore = > # role_allow_create = True > # role_allow_update = True > # role_allow_delete = True > > # group_tree_dn = > # group_filter = > # group_objectclass = groupOfNames > # group_id_attribute = cn > # group_name_attribute = ou > # group_member_attribute = member > # group_desc_attribute = desc > # group_attribute_ignore = > # group_allow_create = True > # group_allow_update = True > # group_allow_delete = True > > Kindly help us to resolve the issue. > > Thanks, > Tizy > > > > _______________________________________________ > OpenStack-dev mailing > [email protected]http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > http://www.youtube.com/watch?v=w3Yjlmb_68g > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
