[Rdo-list] Fwd: RDO with Red Hat IDM

Dave Neary dneary at redhat.com
Thu Jun 13 20:20:54 UTC 2013 

Hi,

Yes! Please create a page in the wiki and link to it from
http://openstack.redhat.com/Troubleshooting please.

Thanks!
Dave.

On 06/13/2013 03:27 PM, Michael Solberg wrote:
> On 05/31/2013 09:51 AM, Michael Solberg wrote:
>> On 05/30/2013 08:04 PM, Adam Young wrote:
>>> On 05/30/2013 05:58 PM, Dave Neary wrote:
>>>> Hi Adam,
>>>>
>>>> Can you have a look at this post on rdo-list and see if you can figure
>>>> out what's going wrong, please?
>>>>
>>>> Thanks!
>>>> Dave.
>>>>
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: [Rdo-list] RDO with Red Hat IDM
>>>> Date: Thu, 30 May 2013 17:13:59 -0400
>>>> From: Michael Solberg <msolberg at redhat.com>
>>>> To: rdo-list at redhat.com
>>>>
>>>> Hi list.
>>>>
>>>> I've spent a day or two now trying to use Red Hat IDM as a backing
>>>> store
>>>> for Keystone in RDO and I'm about to pull my hair out.
>>>>
>>>> I started with Adam Young's blog post here:
>>>> http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/
>>>>
>>>> Then I watched his Summit video here:
>>>> http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa
>>>>
>>>>
>>>>
>>>>
>>>> Then I tried to follow this document:
>>>> http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
>>>>
>>>>
>>>>
>>>>
>>>> I definitely ran into the domain_id problem described here:
>>>> https://lists.launchpad.net/openstack/msg23387.html
>>>>
>>>> I also ran into the issue around the RFC 4519 schema not allowing a
>>>> "enabled" attribute.  I think I've mitigated this by setting the
>>>> "attribute_ignore" settings in keystone.conf.
>>>>
>>>> I've tried tackling the architecture from a few different directions
>>>> and
>>>> I've gotten to the point where I can create roles, create tenants, and
>>>> list users in my IDM domain, but not assign roles to users.  I think
>>>> this is because I'm trying to separate out the tenants and roles from
>>>> the users in the directory tree.  I don't mind keystone creating
>>>> objects
>>>> in it's own tree, but I don't want it updating user accounts from IDM.
>>>
>>> So,  you have put projects into their own subtree?  Can the LDAP user
>>> from Keystone modify that tree?
>>
>> Yes - for right now, I'm just using the cn=Directory Manager account.  I
>> figured I'd work on the ACLs once I got the mappings correct.  All of my
>> issues so far have been around Keystone trying to create or read objects
>> in the tree that don't conform to the standard directory types that we
>> ship in IDM (groupOfNames, posixaccount, etc).  That's why I was curious
>> if someone had a working configuration that I could look at.  It looks
>> like we've documented using AD upstream, but not IDM.
> 
> I figured it out.  Is there a good place for me to document this?
> 
> Thanks.
> 
> Michael.
> 
> _______________________________________________
> Rdo-list mailing list
> Rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list

-- 
Dave Neary - Community Action and Impact
Open Source and Standards, Red Hat - http://community.redhat.com
Ph: +33 9 50 71 55 62 / Cell: +33 6 77 01 92 13

More information about the rdo-list mailing list