From 5b3e05bbabd5366461630327e4498fe582ff8ab7 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Wed, 7 Mar 2012 16:04:32 -0500 Subject: added LDAP section to architecture and architecture https://bugs.launchpad.net/keystone/+bug/949521 Bug 949521 Change-Id: I2e37c0d946e3d97a2c4bc4bf4a50bd94466f70c2 --- doc/source/architecture.rst | 6 ++++++ doc/source/configuration.rst | 42 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) (limited to 'doc/source') diff --git a/doc/source/architecture.rst b/doc/source/architecture.rst index b6498a08..97a68f4c 100644 --- a/doc/source/architecture.rst +++ b/doc/source/architecture.rst @@ -167,6 +167,12 @@ interpolation):: catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0 catalog.RegionOne.identity.name = 'Identity Service' + +LDAP Backend +----------------- +The LDAP backend stored Users and Tenents in separate Subtrees. Roles are recorded +as entries under the Tenants. + ---------- Data Model ---------- diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 6e7c6875..95b2e0ad 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -6,7 +6,7 @@ not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT @@ -516,7 +516,7 @@ exmaple:: keyword arguments -* user +* user * role * tenant_id @@ -532,7 +532,7 @@ example:: keyword arguments -* user +* user * role * tenant_id @@ -595,3 +595,39 @@ example:: $ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b + +Configuring the LDAP Identity Provider +=========================================================== + +As an alternative to the SQL Databse backing store, Keystone can Use a +Directory server to provide the Identity service. An example Schema +for openstack would look like this:: + + dn: cn=openstack,cn=org + dc: openstack + objectClass: dcObject + objectClass: organizationalUnit + ou: openstack + + dn: ou=Groups,cn=openstack,cn=org + objectClass: top + objectClass: organizationalUnit + ou: groups + + dn: ou=Users,cn=openstack,cn=org + objectClass: top + objectClass: organizationalUnit + ou: users + + dn: ou=Roles,cn=openstack,cn=org + objectClass: top + objectClass: organizationalUnit + ou: users + +The corresponding entries in the Keystone configuration file are:: + + [ldap] + url = ldap://localhost + suffix = dc=openstack,dc=org + user = dc=Manager,dc=openstack,dc=org + password = badpassword -- cgit