Mathieu, We LDAP (AD) with a fallback to MySQL. This allows us to store service accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in MySQL. We only do Identity via LDAP and we have a forked copy of this driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do this. We don't have any permissions to write into LDAP or move people into groups, so we keep a copy of users locally for purposes of user-list operations. The only interaction between OpenStack and LDAP for us is when that driver tries a bind.
On Tue, Mar 31, 2015 at 6:06 PM, Mathieu Gagné <mga...@iweb.com> wrote: > Hi, > > Lets say I wish to use an existing enterprise LDAP service to manage my > OpenStack users so I only have one place to manage users. > > How would you manage authentication and credentials from a security > point of view? Do you tell your users to use their enterprise > credentials or do you use an other method/credentials? > > The reason is that (usually) enterprise credentials also give access to > a whole lot of systems other than OpenStack itself. And it goes without > saying that I'm not fond of the idea of storing my password in plain > text to be used by some scripts I created. > > What's your opinion/suggestion? Do you guys have a second credential > system solely used for OpenStack? > > -- > Mathieu > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators