Re: [openstack-dev] [kolla] Domains support

[Christian Tardif]

OK great !!!

Now, I have a working LDAP setup!  Thanks for your help.

Now, about the modifications done to Horizon's config file (in fact, in 
local_settings), I had to perform these changes through the 
local_settings.j2 template file. Is this the place where modifications 
go or is there any place in the kolla's override config directory where 
I could set that ?



Christian Tardif




-- Message d'origine --
De: "Gema Gomez" <g...@ggomez.me>
À: openstack-dev@lists.openstack.org
Envoyé : 2017-02-02 14:10:51
Objet : Re: [openstack-dev] [kolla] Domains support


Hi,

we've done this last week at Linaro. I have documented the process in a
blog post that is a walkthrough of a post by Steve Martinelli[1] from
the keystone team:

http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/

At the bottom of it there is a gerrit review with a patch to our 
ansible
playbooks that adds support for LDAP authentication. We kept the 
default

domain for services accounts and any other that needs to be managed
outside LDAP and then we have the LDAP domain for the actual end users.

Happy to review any patches or help with whichever one you are 
producing.


Hope that helps,
Gema

[1]
https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/

On 02/02/17 16:07, Dave Walker wrote:

 Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf

 Thanks

 On 2 February 2017 at 00:20, Christian Tardif
 <christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>> 
wrote:


 Will sure give it a try ! And from a kolla perspective, it means
 that this file should go in
 /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be
 pushed to the relevant containers ?
 



 *Christian Tardif
 *christian.tar...@servinfo.ca 
<mailto:christian.tar...@servinfo.ca>


 SVP, pensez � l�environnement avant d�imprimer ce message.




 -- Message d'origine --
 De: "Dave Walker" <em...@daviey.com <mailto:em...@daviey.com>>
 �: "OpenStack Development Mailing List (not for usage 
questions)"

 <openstack-dev@lists.openstack.org
 <mailto:openstack-dev@lists.openstack.org>>
 Envoy� : 2017-02-01 11:39:15
 Objet : Re: [openstack-dev] [kolla] Domains support


 Hi Christian,

 I added the domain support, but I didn't document it as well as 
I

 should have. Apologies!

 This is the config I am using to talk to a windows AD server.
 Hope this helps.

 create a domain specific file:
 etc/keystone/domains/keystone.$DOMAIN.conf:

 [ldap]
 use_pool = true
 pool_size = 10
 pool_retry_max = 3
 pool_retry_delay = 0.1
 pool_connection_timeout = -1
 pool_connection_lifetime = 600
 use_auth_pool = false
 auth_pool_size = 100
 auth_pool_connection_lifetime = 60
 url = ldap://server1:389,ldap://server2:389
 user = CN=Linux SSSD Kerberos Service
 Account,CN=Users,DC=example,DC=com
 password = password
 suffix   = dc=example,dc=com
 user_tree_dn =
 OU=Personnel,OU=Users,OU=example,DC=example,DC=com
 user_objectclass = person
 user_filter  = (memberOf=CN=mail,OU=GPO
 Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
 user_id_attribute= sAMAccountName
 user_name_attribute  = sAMAccountName
 user_description_attribute = displayName
 user_mail_attribute  = mail
 user_pass_attribute  =
 user_enabled_attribute   = userAccountControl
 user_enabled_mask= 2
 user_enabled_default = 512
 user_attribute_ignore= password,tenant_id,tenants
 group_tree_dn= OU=GPO
 Security,OU=Groups,OU=COMPANY,DC=example,DC=com
 group_name_attribute = name
 group_id_attribute   = cn
 group_objectclass= group
 group_member_attribute   = member

 [identity]
 driver = keystone.identity.backends.ldap.Identity

 [assignment]
 driver = keystone.assignment.backends.sql.Assignment

 --
 Kind Regards,
 Dave Walker

 On 1 February 2017 at 05:03, Christian Tardif
 <christian.tar...@servinfo.ca
 <mailto:christian.tar...@servinfo.ca>> wrote:

 Hi,

 I'm looking for domains support in Kolla. I've searched, but
 didn't find anything relevant. Could someone point me how to
 achieve this?

 What I'm really looking for, in fact, is a decent way or
 setting auth through LDAP backend while keeping service 
users

 (neutron, for example) in the SQL backend. I know that this
 can be achieved with domains support (leaving default do

Re: [openstack-dev] [kolla] Domains support

[Gema Gomez]

Hi,

we've done this last week at Linaro. I have documented the process in a
blog post that is a walkthrough of a post by Steve Martinelli[1] from
the keystone team:

http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/

At the bottom of it there is a gerrit review with a patch to our ansible
playbooks that adds support for LDAP authentication. We kept the default
domain for services accounts and any other that needs to be managed
outside LDAP and then we have the LDAP domain for the actual end users.

Happy to review any patches or help with whichever one you are producing.

Hope that helps,
Gema

[1]
https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/

On 02/02/17 16:07, Dave Walker wrote:
> Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf
> 
> Thanks
> 
> On 2 February 2017 at 00:20, Christian Tardif
> <christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>> wrote:
> 
> Will sure give it a try ! And from a kolla perspective, it means
> that this file should go in
> /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be
> pushed to the relevant containers ?
> 
> 
> *Christian Tardif
> *christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>
> 
> SVP, pensez � l�environnement avant d�imprimer ce message.
> 
> 
> 
> 
> -- Message d'origine --
> De: "Dave Walker" <em...@daviey.com <mailto:em...@daviey.com>>
> �: "OpenStack Development Mailing List (not for usage questions)"
> <openstack-dev@lists.openstack.org
> <mailto:openstack-dev@lists.openstack.org>>
> Envoy� : 2017-02-01 11:39:15
> Objet : Re: [openstack-dev] [kolla] Domains support
> 
>> Hi Christian,
>>
>> I added the domain support, but I didn't document it as well as I
>> should have. Apologies!
>>
>> This is the config I am using to talk to a windows AD server. 
>> Hope this helps.
>>
>> create a domain specific file:
>> etc/keystone/domains/keystone.$DOMAIN.conf:
>>
>> [ldap]
>> use_pool = true
>> pool_size = 10
>> pool_retry_max = 3
>> pool_retry_delay = 0.1
>> pool_connection_timeout = -1
>> pool_connection_lifetime = 600
>> use_auth_pool = false
>> auth_pool_size = 100
>> auth_pool_connection_lifetime = 60
>> url = ldap://server1:389,ldap://server2:389
>> user = CN=Linux SSSD Kerberos Service
>> Account,CN=Users,DC=example,DC=com
>> password = password
>> suffix   = dc=example,dc=com
>> user_tree_dn =
>> OU=Personnel,OU=Users,OU=example,DC=example,DC=com
>> user_objectclass = person
>> user_filter  = (memberOf=CN=mail,OU=GPO
>> Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
>> user_id_attribute= sAMAccountName
>> user_name_attribute  = sAMAccountName
>> user_description_attribute = displayName
>> user_mail_attribute  = mail
>> user_pass_attribute  =
>> user_enabled_attribute   = userAccountControl
>> user_enabled_mask= 2
>> user_enabled_default = 512
>> user_attribute_ignore= password,tenant_id,tenants
>> group_tree_dn= OU=GPO
>> Security,OU=Groups,OU=COMPANY,DC=example,DC=com
>> group_name_attribute = name
>> group_id_attribute   = cn
>> group_objectclass= group
>> group_member_attribute   = member
>>
>> [identity]
>> driver = keystone.identity.backends.ldap.Identity
>>
>> [assignment]
>> driver = keystone.assignment.backends.sql.Assignment
>>
>> --
>> Kind Regards,
>> Dave Walker
>>
>> On 1 February 2017 at 05:03, Christian Tardif
>> <christian.tar...@servinfo.ca
>> <mailto:christian.tar...@servinfo.ca>> wrote:
>>
>> Hi,
>>
>> I'm looking for domains support in Kolla. I've searched, but
>> didn't find anything relevant. Could someone point me how to
>> achieve this?
>>
>> What I'm really looking for, in fact, is a decent way or
>> setting auth through LDAP backend while keeping service users
>> (neutron, for example) in the SQL backend. I know that this
>> can be achieved with domains support (leaving default d

Re: [openstack-dev] [kolla] Domains support

[Dave Walker]

Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf

Thanks

On 2 February 2017 at 00:20, Christian Tardif <christian.tar...@servinfo.ca>
wrote:

> Will sure give it a try ! And from a kolla perspective, it means that this
> file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf in
> order to be pushed to the relevant containers ?
> --
>
>
> *Christian Tardif*christian.tar...@servinfo.ca
>
> SVP, pensez à l’environnement avant d’imprimer ce message.
>
>
>
> -- Message d'origine --
> De: "Dave Walker" <em...@daviey.com>
> À: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Envoyé : 2017-02-01 11:39:15
> Objet : Re: [openstack-dev] [kolla] Domains support
>
> Hi Christian,
>
> I added the domain support, but I didn't document it as well as I should
> have. Apologies!
>
> This is the config I am using to talk to a windows AD server.  Hope this
> helps.
>
> create a domain specific file:
> etc/keystone/domains/keystone.$DOMAIN.conf:
>
> [ldap]
> use_pool = true
> pool_size = 10
> pool_retry_max = 3
> pool_retry_delay = 0.1
> pool_connection_timeout = -1
> pool_connection_lifetime = 600
> use_auth_pool = false
> auth_pool_size = 100
> auth_pool_connection_lifetime = 60
> url = ldap://server1:389,ldap://server2:389
> user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com
> password = password
> suffix   = dc=example,dc=com
> user_tree_dn = OU=Personnel,OU=Users,OU=
> example,DC=example,DC=com
> user_objectclass = person
> user_filter  = (memberOf=CN=mail,OU=GPO
> Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
> user_id_attribute= sAMAccountName
> user_name_attribute  = sAMAccountName
> user_description_attribute = displayName
> user_mail_attribute  = mail
> user_pass_attribute  =
> user_enabled_attribute   = userAccountControl
> user_enabled_mask= 2
> user_enabled_default = 512
> user_attribute_ignore= password,tenant_id,tenants
> group_tree_dn= OU=GPO Security,OU=Groups,OU=COMPANY,
> DC=example,DC=com
> group_name_attribute = name
> group_id_attribute   = cn
> group_objectclass= group
> group_member_attribute   = member
>
> [identity]
> driver = keystone.identity.backends.ldap.Identity
>
> [assignment]
> driver = keystone.assignment.backends.sql.Assignment
>
> --
> Kind Regards,
> Dave Walker
>
> On 1 February 2017 at 05:03, Christian Tardif <
> christian.tar...@servinfo.ca> wrote:
>
>> Hi,
>>
>> I'm looking for domains support in Kolla. I've searched, but didn't find
>> anything relevant. Could someone point me how to achieve this?
>>
>> What I'm really looking for, in fact, is a decent way or setting auth
>> through LDAP backend while keeping service users (neutron, for example) in
>> the SQL backend. I know that this can be achieved with domains support
>> (leaving default domain on SQL, and another domain for LDAP users. Or maybe
>> there's another of doing this?
>>
>> Thanks,
>> --
>>
>>
>> *Christian Tardif*christian.tar...@servinfo.ca
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Domains support

[Christian Tardif]

Will sure give it a try ! And from a kolla perspective, it means that 
this file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf 
in order to be pushed to the relevant containers ?


Christian Tardif
christian.tar...@servinfo.ca

SVP, pensez à l’environnement avant d’imprimer ce message.




-- Message d'origine --
De: "Dave Walker" <em...@daviey.com>
À: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org>

Envoyé : 2017-02-01 11:39:15
Objet : Re: [openstack-dev] [kolla] Domains support


Hi Christian,

I added the domain support, but I didn't document it as well as I 
should have. Apologies!


This is the config I am using to talk to a windows AD server.  Hope 
this helps.


create a domain specific file:
etc/keystone/domains/keystone.$DOMAIN.conf:

[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60
url = ldap://server1:389,ldap://server2:389
user = CN=Linux SSSD Kerberos Service 
Account,CN=Users,DC=example,DC=com

password = password
suffix   = dc=example,dc=com
user_tree_dn = 
OU=Personnel,OU=Users,OU=example,DC=example,DC=com

user_objectclass = person
user_filter  = (memberOf=CN=mail,OU=GPO 
Security,OU=Groups,OU=COMPANY,DC=example,DC=com)

user_id_attribute= sAMAccountName
user_name_attribute  = sAMAccountName
user_description_attribute = displayName
user_mail_attribute  = mail
user_pass_attribute  =
user_enabled_attribute   = userAccountControl
user_enabled_mask= 2
user_enabled_default = 512
user_attribute_ignore= password,tenant_id,tenants
group_tree_dn= OU=GPO 
Security,OU=Groups,OU=COMPANY,DC=example,DC=com

group_name_attribute = name
group_id_attribute   = cn
group_objectclass= group
group_member_attribute   = member

[identity]
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

--
Kind Regards,
Dave Walker

On 1 February 2017 at 05:03, Christian Tardif 
<christian.tar...@servinfo.ca> wrote:

Hi,

I'm looking for domains support in Kolla. I've searched, but didn't 
find anything relevant. Could someone point me how to achieve this?


What I'm really looking for, in fact, is a decent way or setting auth 
through LDAP backend while keeping service users (neutron, for 
example) in the SQL backend. I know that this can be achieved with 
domains support (leaving default domain on SQL, and another domain for 
LDAP users. Or maybe there's another of doing this?


Thanks,

Christian Tardif
christian.tar...@servinfo.ca


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Domains support

[Dave Walker]

Hi Christian,

I added the domain support, but I didn't document it as well as I should
have. Apologies!

This is the config I am using to talk to a windows AD server.  Hope this
helps.

create a domain specific file:
etc/keystone/domains/keystone.$DOMAIN.conf:

[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60
url = ldap://server1:389,ldap://server2:389
user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com
password = password
suffix   = dc=example,dc=com
user_tree_dn =
OU=Personnel,OU=Users,OU=example,DC=example,DC=com
user_objectclass = person
user_filter  = (memberOf=CN=mail,OU=GPO
Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
user_id_attribute= sAMAccountName
user_name_attribute  = sAMAccountName
user_description_attribute = displayName
user_mail_attribute  = mail
user_pass_attribute  =
user_enabled_attribute   = userAccountControl
user_enabled_mask= 2
user_enabled_default = 512
user_attribute_ignore= password,tenant_id,tenants
group_tree_dn= OU=GPO
Security,OU=Groups,OU=COMPANY,DC=example,DC=com
group_name_attribute = name
group_id_attribute   = cn
group_objectclass= group
group_member_attribute   = member

[identity]
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

--
Kind Regards,
Dave Walker

On 1 February 2017 at 05:03, Christian Tardif 
wrote:

> Hi,
>
> I'm looking for domains support in Kolla. I've searched, but didn't find
> anything relevant. Could someone point me how to achieve this?
>
> What I'm really looking for, in fact, is a decent way or setting auth
> through LDAP backend while keeping service users (neutron, for example) in
> the SQL backend. I know that this can be achieved with domains support
> (leaving default domain on SQL, and another domain for LDAP users. Or maybe
> there's another of doing this?
>
> Thanks,
> --
>
>
> *Christian Tardif*christian.tar...@servinfo.ca
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [kolla] Domains support

[Christian Tardif]

Hi,

I'm looking for domains support in Kolla. I've searched, but didn't find 
anything relevant. Could someone point me how to achieve this?


What I'm really looking for, in fact, is a decent way or setting auth 
through LDAP backend while keeping service users (neutron, for example) 
in the SQL backend. I know that this can be achieved with domains 
support (leaving default domain on SQL, and another domain for LDAP 
users. Or maybe there's another of doing this?


Thanks,

Christian Tardif
christian.tar...@servinfo.ca
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev