You can leave the roles/projects outside of ldap by just using the LDAP identity plugin, leaving the rest in sql. It sounds like they will be deprecating putting roles/projects in LDAP in the future anyway.
That leaves identity mapping. There is a table of ldap users to unique id's in the database. I haven't tried, but you might be able to import all your ldap users into the table, then before any usage, switch the id to the old id's. No idea if its safe to do that though. You will have to test it thoroughly. Thanks, Kevin ________________________________________ From: Caius Howcroft [caius.howcr...@gmail.com] Sent: Monday, March 02, 2015 7:36 AM To: openstack-operators@lists.openstack.org Subject: [Openstack-operators] Migrating keystone from MySQL to LDAP Hi, We are in the process of migrating off MySQL backend for keystone and into LDAP. Just wondering if anyone ad any experience with this? I'm going to have to keep all the id's the same (or else go in and change project ids etc in things like cinder db). Looks like keystone API doesn't allow me to force a uuid at creation time for projects, roles and users. I can go in and create the projects etc in a python script directly, but thats a bit messy. Just wondered if anyone had a done this and had a neater solution? Caius -- _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators