Red Hat Bugzilla – Bug 983345
[RFE] Splitting assignments from the Identity Backend.
Last modified: 2016-04-26 23:54:38 EDT
Original bug report was:
implement an LDAP backend for identity that:
* allows for mapping by a tenant to a group/search set in LDAP
* authenticates to LDAP
* manages tenants and tenant-user linkages in SQL external to LDAP
Better stated as:
Split the identity backend into an identity portion and an assignments portion.
This work is tracked by blueprint
How to test:
Configure both the SQL and LDAP values for Keystone.
Set up Keystone to use the sql asignment backend, and the LDAP identity backend
driver = keystone.identity.backends.ldap.Identity
driver = keystone.identity.backends.sqlAssignment
Run the tempest test suite.
As a precondtion, make sure that there are no users or groups set up in the Sql Database, and no roles, role assignments, or projects in the LDAP database.
after running tempest, that precondition should hold true as well.
Any users or groups created by tempest should only exist in the LDAP backend
Any role assignments etc should only exist in the sql backend.
Make sure that you have read only access to LDAP in the test above.
verified, assignments and identity function separately
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.