added LDAP section to architecture and architecture

https://bugs.launchpad.net/keystone/+bug/949521 Bug 949521 Change-Id: I2e37c0d946e3d97a2c4bc4bf4a50bd94466f70c2
openstack · Mar 13, 2012 · 5b3e05b · 5b3e05b
1 parent e65a22c
commit 5b3e05b
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 3 deletions.
diff --git a/doc/source/architecture.rst b/doc/source/architecture.rst
@@ -167,6 +167,12 @@ interpolation)::
   catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0
   catalog.RegionOne.identity.name = 'Identity Service'
 
+
+LDAP Backend
+-----------------
+The LDAP backend stored Users and Tenents in separate Subtrees.  Roles are recorded
+as entries under the Tenants.
+
 ----------
 Data Model
 ----------

diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
@@ -6,7 +6,7 @@
       not use this file except in compliance with the License. You may obtain
       a copy of the License at
 
-          http://www.apache.org/licenses/LICENSE-2.0
+	  http://www.apache.org/licenses/LICENSE-2.0
 
       Unless required by applicable law or agreed to in writing, software
       distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
@@ -516,7 +516,7 @@ exmaple::
 
 keyword arguments
 
-* user <user-id> 
+* user <user-id>
 * role <role-id>
 * tenant_id <tenant-id>
 
@@ -532,7 +532,7 @@ example::
 
 keyword arguments
 
-* user <user-id> 
+* user <user-id>
 * role <role-id>
 * tenant_id <tenant-id>
 
@@ -595,3 +595,39 @@ example::
 
     $ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
 
+
+Configuring the LDAP Identity Provider
+===========================================================
+
+As an alternative to the SQL Databse backing store, Keystone can Use a
+Directory server to provide the Identity service.  An example Schema
+for openstack would look like this::
+
+  dn: cn=openstack,cn=org
+  dc: openstack
+  objectClass: dcObject
+  objectClass: organizationalUnit
+  ou: openstack
+
+  dn: ou=Groups,cn=openstack,cn=org
+  objectClass: top
+  objectClass: organizationalUnit
+  ou: groups
+
+  dn: ou=Users,cn=openstack,cn=org
+  objectClass: top
+  objectClass: organizationalUnit
+  ou: users
+
+  dn: ou=Roles,cn=openstack,cn=org
+  objectClass: top
+  objectClass: organizationalUnit
+  ou: users
+
+The corresponding entries in the Keystone configuration file are::
+
+  [ldap]
+  url = ldap://localhost
+  suffix = dc=openstack,dc=org
+  user = dc=Manager,dc=openstack,dc=org
+  password = badpassword