Original bug report was: implement an LDAP backend for identity that: * allows for mapping by a tenant to a group/search set in LDAP * authenticates to LDAP * manages tenants and tenant-user linkages in SQL external to LDAP Better stated as: Split the identity backend into an identity portion and an assignments portion. This work is tracked by blueprint https://blueprints.launchpad.net/keystone/+spec/split-identity
How to test: Configure both the SQL and LDAP values for Keystone. Set up Keystone to use the sql asignment backend, and the LDAP identity backend [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.identity.backends.sqlAssignment Run the tempest test suite. As a precondtion, make sure that there are no users or groups set up in the Sql Database, and no roles, role assignments, or projects in the LDAP database. after running tempest, that precondition should hold true as well. Any users or groups created by tempest should only exist in the LDAP backend Any role assignments etc should only exist in the sql backend.
Make sure that you have read only access to LDAP in the test above.
verified, assignments and identity function separately
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html