Hello, I am relatively new to Openstack and Keystone so please forgive me any crazy misunderstandings here.
One of the problems with the existing LDAP Identity driver that I see is that for group management it needs write access to the LDAP server, or requires an LDAP admin to set up groups separately. Neither of these are palatable to some larger users with corporate LDAP directories, so I'm interested in discussing a solution that would get acceptance from core devs. My initial thoughts are to create a new driver that would store groups and their user memberships in the local keystone database, while continuing to rely on LDAP for user authentication. The advantages of this would be that the standard UI tools could continue to work for group manipulation. This is somewhat parallel with ephemeral federated user group mappings, but that's all done in the json blob which is a bit horrible. (I'd like to see that working with a decent UI some time, perhaps it is solved in the same way) However, one of the other reasons I'm sending this is to gather more ideas to solve this. I'd like to hear from anyone in a similar position, and anyone with input on how to help. Cheers, Julian. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
