Hello,
We have a small private OpenStack deployment with 300 VMs across 2 regions.
We currently use the Keystone v2.0 API and all accounts are currently
stored in SQL.
We would like to move keystone to authenticate users from LDAP
(identity), whilst still having the service accounts stored in SQL
(migrating to Keystone v3 in the process).
In our testing environment we have configured domain-specific drivers to
support the above configuration, with the 'default' domain being SQL and
a separate domain 'ldap' for credentials from LDAP.
Usernames are the same for accounts in both 'default' and 'ldap'.
Assignments would still reside in SQL.
This setup works for the creation of new resources, however any
resources defined in the old domain ('default') is obviously not
available in the 'ldap' domain.
Has anyone migrated resources between domains? There doesn't appear to
be any OpenStack tooling to support this (?).
Or is the solution to simply configure the ldap domain named as
'default' and the SQL domain named as something like 'services' ?
--
Kind regards,
Ben Morrice
______________________________________________________________________
Ben Morrice | e: ben.morr...@epfl.ch | t: +41-21-693-9670
EPFL ENT CBS BBP
Biotech Campus
Chemin des Mines 9
1202 Geneva
Switzerland
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
