Organizational data is held in publicly accessible directories accessed via the Lightweight Directory Access Protocol(LDAP). In general, the end applications have the ability to query via LDAP, but not update it. Up until Grizzly the OpenStack Identity management Service, Keystone, has required write access to the backing store if you wanted to be able to manage authorization from within OpenStack. This mismatch has been addressed in Havana
Getting to the point where we could vary LDAP data from the rest of the data that Keystone managed required a few new abstractions. The most important one happened in the Grizzly release: the ability to group users. Once we had groups, we had a natural place to split between what Keystone should manage directly and what Keystone should only consume.
In Havana, several of the entities previously managed via the Identity backend have been split off into a new backend called Assignments. The Assignments driver now manages:
- Projects (also previously referred to as Tenants)
- Role Assignments
The Identity driver still manages:
- Group Assignments
The default drivers for Identity and for Assignments is SQL. If you were using SQL in the past to manage Identity, you will see no difference.
Now, we didn’t want to go and break all of the existing LDAP deployments out there, so there is a little bit of configuration magic involved. If the Identity driver is specified to be LDAP and no Assignments driver is specified, Keystone assume that the system was previously all in LDAP, and will use the LDAP driver for Assignments.
If you want to have Identity served out of LDAP but Assignments served out of SQL, you must have the following keystone.conf options set.
[identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment
The existing LDAP configuration documentation is still valid when identity is in LDAP and assignments are in SQL. The LDAP config values for entities in the assignment backend such as projects, and roles will be ignored.
In Havana, Keystone only supports a single LDAP server. There is an effort underway to support multiple, but that will have to wait until Icehouse.