Hi, we've done this last week at Linaro. I have documented the process in a blog post that is a walkthrough of a post by Steve Martinelli[1] from the keystone team:
http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/ At the bottom of it there is a gerrit review with a patch to our ansible playbooks that adds support for LDAP authentication. We kept the default domain for services accounts and any other that needs to be managed outside LDAP and then we have the LDAP domain for the actual end users. Happy to review any patches or help with whichever one you are producing. Hope that helps, Gema [1] https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/ On 02/02/17 16:07, Dave Walker wrote: > Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf > > Thanks > > On 2 February 2017 at 00:20, Christian Tardif > <[email protected] <mailto:[email protected]>> wrote: > > Will sure give it a try ! And from a kolla perspective, it means > that this file should go in > /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be > pushed to the relevant containers ? > ------------------------------------------------------------------------ > > *Christian Tardif > *[email protected] <mailto:[email protected]> > > SVP, pensez � l�environnement avant d�imprimer ce message. > > > > > ------ Message d'origine ------ > De: "Dave Walker" <[email protected] <mailto:[email protected]>> > �: "OpenStack Development Mailing List (not for usage questions)" > <[email protected] > <mailto:[email protected]>> > Envoy� : 2017-02-01 11:39:15 > Objet : Re: [openstack-dev] [kolla] Domains support > >> Hi Christian, >> >> I added the domain support, but I didn't document it as well as I >> should have. Apologies! >> >> This is the config I am using to talk to a windows AD server. >> Hope this helps. >> >> create a domain specific file: >> etc/keystone/domains/keystone.$DOMAIN.conf: >> >> [ldap] >> use_pool = true >> pool_size = 10 >> pool_retry_max = 3 >> pool_retry_delay = 0.1 >> pool_connection_timeout = -1 >> pool_connection_lifetime = 600 >> use_auth_pool = false >> auth_pool_size = 100 >> auth_pool_connection_lifetime = 60 >> url = ldap://server1:389,ldap://server2:389 >> user = CN=Linux SSSD Kerberos Service >> Account,CN=Users,DC=example,DC=com >> password = password >> suffix = dc=example,dc=com >> user_tree_dn = >> OU=Personnel,OU=Users,OU=example,DC=example,DC=com >> user_objectclass = person >> user_filter = (memberOf=CN=mail,OU=GPO >> Security,OU=Groups,OU=COMPANY,DC=example,DC=com) >> user_id_attribute = sAMAccountName >> user_name_attribute = sAMAccountName >> user_description_attribute = displayName >> user_mail_attribute = mail >> user_pass_attribute = >> user_enabled_attribute = userAccountControl >> user_enabled_mask = 2 >> user_enabled_default = 512 >> user_attribute_ignore = password,tenant_id,tenants >> group_tree_dn = OU=GPO >> Security,OU=Groups,OU=COMPANY,DC=example,DC=com >> group_name_attribute = name >> group_id_attribute = cn >> group_objectclass = group >> group_member_attribute = member >> >> [identity] >> driver = keystone.identity.backends.ldap.Identity >> >> [assignment] >> driver = keystone.assignment.backends.sql.Assignment >> >> -- >> Kind Regards, >> Dave Walker >> >> On 1 February 2017 at 05:03, Christian Tardif >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> I'm looking for domains support in Kolla. I've searched, but >> didn't find anything relevant. Could someone point me how to >> achieve this? >> >> What I'm really looking for, in fact, is a decent way or >> setting auth through LDAP backend while keeping service users >> (neutron, for example) in the SQL backend. I know that this >> can be achieved with domains support (leaving default domain >> on SQL, and another domain for LDAP users. Or maybe there's >> another of doing this? >> >> Thanks, >> >> ------------------------------------------------------------------------ >> >> *Christian Tardif >> *[email protected] >> <mailto:[email protected]> >> >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> >> <http://[email protected]?subject:unsubscribe> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev> >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > [email protected]?subject:unsubscribe > <http://[email protected]?subject:unsubscribe> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev> > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
