Ask Your Question
1

for what group_tree_dn is used in keystone ?

asked 2014-07-10 02:59:13 -0500

DeepVish gravatar image

updated 2014-07-10 16:55:34 -0500

smaffulli gravatar image

When following stanza is used in keystone.conf ?

group_tree_dn =
group_filter =
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = ou
group_member_attribute = member
group_desc_attribute = desc
group_attribute_ignore =
group_allow_create = True
group_allow_update = True
group_allow_delete = True

What it control ? where it is being used ?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-07-14 22:30:35 -0500

mpetason gravatar image

For active directory you need to setup the correct search string for nested groups:

http://msdn.microsoft.com/en-us/libra...

member:1.2.840.113556.1.4.1941:=

For a non AD backend you would look for something similar. Nested groups would be checked with the search string.

edit flag offensive delete link more
2

answered 2014-07-10 12:40:41 -0500

viral.mutant gravatar image

updated 2014-07-11 00:18:25 -0500

Hi I think it is used to assign role to a group(bunch) of users under a tenant.

My keystone.conf snippet looks like:

group_tree_dn = ou=Groups,ou=OpenStack,dc=ldap,dc=com
group_name_attribute = cn

I have defined 1 group(groupofNames) under this ou which has 2 members:

dn: cn=authgroup,ou=Groups,ou=openstack,dc=ldap,dc=com
cn: authgroup
objectClass: groupOfNames
objectClass: top
member: uid=auth1,ou=Users,ou=openstack,dc=ldap,dc=com
member: uid=auth2,ou=Users,ou=openstack,dc=ldap,dc=com

And under a tenant, this group is a roleOccupant of 'member' role:

dn: cn=member,cn=Authentication,ou=Customers,ou=openstack,dc=ldap,dc=com
objectClass: organizationalRole
cn: member
roleOccupant: uid=authadmin,ou=users,ou=openstack,dc=ldap,dc=com
roleOccupant: cn=authgroup,ou=Groups,ou=openstack,dc=ldap,dc=com

These users now appear under keystone user-list:

keystone user-list
+-----------+-----------+---------+-------+
|     id    |    name   | enabled | email |
+-----------+-----------+---------+-------+
| authadmin | authadmin |         |       |
|   auth1  |   auth1  |         |       |
|  auth2  |  auth2  |         |       |
|   swift   |   swift   |         |       |
+-----------+-----------+---------+-------+

And querying user auth1 role shows following:

keystone user-role-list --user=auth1 --tenant=authentication
+--------+--------+---------+----------------+
|   id   |  name  | user_id |   tenant_id    |
+--------+--------+---------+----------------+
| member | member |  auth1 | Authentication |
+--------+--------+---------+----------------+

So basically it's moving the user level management to group level.

edit flag offensive delete link more

Comments

Thanks for the reply We tried above setup, basic group are working now but nested group are not working ? Does keystone support nested group ?

DeepVish gravatar imageDeepVish ( 2014-07-11 01:21:43 -0500 )edit

Can you please elaborate on the entries which you have added under groups and tenants. Particularly the objectClass etc Though I haven't tested nested groups but I believe it should/may work

viral.mutant gravatar imageviral.mutant ( 2014-07-15 00:02:37 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-07-10 02:59:13 -0500

Seen: 656 times

Last updated: Jul 14 '14