Generally the Active Directory deployments are very large and properly organised under multiple Organizational Units(OU). OUs can be based on Department, Functioning groups etc.
Following diagram depict the sample AD environment with multiple OU.
One can configure the AD with Keystone using ldap identity provider so that users from AD are visible on Keystone.
In current keystone ldap provider there is no mechanism of providing two or more OUs. For Example today if one want to use only user from OU=Comp and OU=Admin for keystone he has to provide user OU as dc=myuniv,dc=com ie root of AD. Because of this all users from all OUs will be visible to keystone. Currently providing multiple OUs in keystone configuration in not in plan.
However one can limit the number of users visible to keystone using following two mechanisms from Active Directory.
- Update attribute of all users those users should be visible to keystone and update the
For example I chose ‘description’ attribute of user on Active Directory and updated the this attribute of all user those should be visible to keystone with description=OBJECT_USERRun following on spectrum scale cluster to update the filter
mmobj config change –ccrfile keystone.conf –section ldap –property user_filter –value ‘(description=OBJECT_USER)’
- Another approach apply ACL on bind user such that only required OU’s will be visible to keystone.In this deny full acl need to be added for bind user on all OU except the OU’s from which users will be visible to keystone.
For example in my setup I dont want user from OU=org1. testuser1 is binduser hence i added deny acl for testuser1 on OU=org1.
Now keystone will list all users expect users from OU=org1.
“These are my personal views and do not necessarily reflect that of my employer”