Hi Christian, I added the domain support, but I didn't document it as well as I should have. Apologies!
This is the config I am using to talk to a windows AD server. Hope this helps. create a domain specific file: etc/keystone/domains/keystone.$DOMAIN.conf: [ldap] use_pool = true pool_size = 10 pool_retry_max = 3 pool_retry_delay = 0.1 pool_connection_timeout = -1 pool_connection_lifetime = 600 use_auth_pool = false auth_pool_size = 100 auth_pool_connection_lifetime = 60 url = ldap://server1:389,ldap://server2:389 user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com password = password suffix = dc=example,dc=com user_tree_dn = OU=Personnel,OU=Users,OU=example,DC=example,DC=com user_objectclass = person user_filter = (memberOf=CN=mail,OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com) user_id_attribute = sAMAccountName user_name_attribute = sAMAccountName user_description_attribute = displayName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants group_tree_dn = OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com group_name_attribute = name group_id_attribute = cn group_objectclass = group group_member_attribute = member [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment -- Kind Regards, Dave Walker On 1 February 2017 at 05:03, Christian Tardif <christian.tar...@servinfo.ca> wrote: > Hi, > > I'm looking for domains support in Kolla. I've searched, but didn't find > anything relevant. Could someone point me how to achieve this? > > What I'm really looking for, in fact, is a decent way or setting auth > through LDAP backend while keeping service users (neutron, for example) in > the SQL backend. I know that this can be achieved with domains support > (leaving default domain on SQL, and another domain for LDAP users. Or maybe > there's another of doing this? > > Thanks, > ------------------------------ > > > *Christian Tardif*christian.tar...@servinfo.ca > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev