Re: [openstack-dev] [kolla] Domains support
OK great !!! Now, I have a working LDAP setup! Thanks for your help. Now, about the modifications done to Horizon's config file (in fact, in local_settings), I had to perform these changes through the local_settings.j2 template file. Is this the place where modifications go or is there any place in the kolla's override config directory where I could set that ? Christian Tardif -- Message d'origine -- De: "Gema Gomez" <g...@ggomez.me> À: openstack-dev@lists.openstack.org Envoyé : 2017-02-02 14:10:51 Objet : Re: [openstack-dev] [kolla] Domains support Hi, we've done this last week at Linaro. I have documented the process in a blog post that is a walkthrough of a post by Steve Martinelli[1] from the keystone team: http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/ At the bottom of it there is a gerrit review with a patch to our ansible playbooks that adds support for LDAP authentication. We kept the default domain for services accounts and any other that needs to be managed outside LDAP and then we have the LDAP domain for the actual end users. Happy to review any patches or help with whichever one you are producing. Hope that helps, Gema [1] https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/ On 02/02/17 16:07, Dave Walker wrote: Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf Thanks On 2 February 2017 at 00:20, Christian Tardif <christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>> wrote: Will sure give it a try ! And from a kolla perspective, it means that this file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be pushed to the relevant containers ? *Christian Tardif *christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca> SVP, pensez � l�environnement avant d�imprimer ce message. -- Message d'origine -- De: "Dave Walker" <em...@daviey.com <mailto:em...@daviey.com>> �: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org <mailto:openstack-dev@lists.openstack.org>> Envoy� : 2017-02-01 11:39:15 Objet : Re: [openstack-dev] [kolla] Domains support Hi Christian, I added the domain support, but I didn't document it as well as I should have. Apologies! This is the config I am using to talk to a windows AD server. Hope this helps. create a domain specific file: etc/keystone/domains/keystone.$DOMAIN.conf: [ldap] use_pool = true pool_size = 10 pool_retry_max = 3 pool_retry_delay = 0.1 pool_connection_timeout = -1 pool_connection_lifetime = 600 use_auth_pool = false auth_pool_size = 100 auth_pool_connection_lifetime = 60 url = ldap://server1:389,ldap://server2:389 user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com password = password suffix = dc=example,dc=com user_tree_dn = OU=Personnel,OU=Users,OU=example,DC=example,DC=com user_objectclass = person user_filter = (memberOf=CN=mail,OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com) user_id_attribute= sAMAccountName user_name_attribute = sAMAccountName user_description_attribute = displayName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask= 2 user_enabled_default = 512 user_attribute_ignore= password,tenant_id,tenants group_tree_dn= OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com group_name_attribute = name group_id_attribute = cn group_objectclass= group group_member_attribute = member [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment -- Kind Regards, Dave Walker On 1 February 2017 at 05:03, Christian Tardif <christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>> wrote: Hi, I'm looking for domains support in Kolla. I've searched, but didn't find anything relevant. Could someone point me how to achieve this? What I'm really looking for, in fact, is a decent way or setting auth through LDAP backend while keeping service users (neutron, for example) in the SQL backend. I know that this can be achieved with domains support (leaving default do
Re: [openstack-dev] [kolla] Domains support
Hi, we've done this last week at Linaro. I have documented the process in a blog post that is a walkthrough of a post by Steve Martinelli[1] from the keystone team: http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/ At the bottom of it there is a gerrit review with a patch to our ansible playbooks that adds support for LDAP authentication. We kept the default domain for services accounts and any other that needs to be managed outside LDAP and then we have the LDAP domain for the actual end users. Happy to review any patches or help with whichever one you are producing. Hope that helps, Gema [1] https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/ On 02/02/17 16:07, Dave Walker wrote: > Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf > > Thanks > > On 2 February 2017 at 00:20, Christian Tardif > <christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>> wrote: > > Will sure give it a try ! And from a kolla perspective, it means > that this file should go in > /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be > pushed to the relevant containers ? > > > *Christian Tardif > *christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca> > > SVP, pensez � l�environnement avant d�imprimer ce message. > > > > > -- Message d'origine -- > De: "Dave Walker" <em...@daviey.com <mailto:em...@daviey.com>> > �: "OpenStack Development Mailing List (not for usage questions)" > <openstack-dev@lists.openstack.org > <mailto:openstack-dev@lists.openstack.org>> > Envoy� : 2017-02-01 11:39:15 > Objet : Re: [openstack-dev] [kolla] Domains support > >> Hi Christian, >> >> I added the domain support, but I didn't document it as well as I >> should have. Apologies! >> >> This is the config I am using to talk to a windows AD server. >> Hope this helps. >> >> create a domain specific file: >> etc/keystone/domains/keystone.$DOMAIN.conf: >> >> [ldap] >> use_pool = true >> pool_size = 10 >> pool_retry_max = 3 >> pool_retry_delay = 0.1 >> pool_connection_timeout = -1 >> pool_connection_lifetime = 600 >> use_auth_pool = false >> auth_pool_size = 100 >> auth_pool_connection_lifetime = 60 >> url = ldap://server1:389,ldap://server2:389 >> user = CN=Linux SSSD Kerberos Service >> Account,CN=Users,DC=example,DC=com >> password = password >> suffix = dc=example,dc=com >> user_tree_dn = >> OU=Personnel,OU=Users,OU=example,DC=example,DC=com >> user_objectclass = person >> user_filter = (memberOf=CN=mail,OU=GPO >> Security,OU=Groups,OU=COMPANY,DC=example,DC=com) >> user_id_attribute= sAMAccountName >> user_name_attribute = sAMAccountName >> user_description_attribute = displayName >> user_mail_attribute = mail >> user_pass_attribute = >> user_enabled_attribute = userAccountControl >> user_enabled_mask= 2 >> user_enabled_default = 512 >> user_attribute_ignore= password,tenant_id,tenants >> group_tree_dn= OU=GPO >> Security,OU=Groups,OU=COMPANY,DC=example,DC=com >> group_name_attribute = name >> group_id_attribute = cn >> group_objectclass= group >> group_member_attribute = member >> >> [identity] >> driver = keystone.identity.backends.ldap.Identity >> >> [assignment] >> driver = keystone.assignment.backends.sql.Assignment >> >> -- >> Kind Regards, >> Dave Walker >> >> On 1 February 2017 at 05:03, Christian Tardif >> <christian.tar...@servinfo.ca >> <mailto:christian.tar...@servinfo.ca>> wrote: >> >> Hi, >> >> I'm looking for domains support in Kolla. I've searched, but >> didn't find anything relevant. Could someone point me how to >> achieve this? >> >> What I'm really looking for, in fact, is a decent way or >> setting auth through LDAP backend while keeping service users >> (neutron, for example) in the SQL backend. I know that this >> can be achieved with domains support (leaving default d
Re: [openstack-dev] [kolla] Domains support
Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf Thanks On 2 February 2017 at 00:20, Christian Tardif <christian.tar...@servinfo.ca> wrote: > Will sure give it a try ! And from a kolla perspective, it means that this > file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf in > order to be pushed to the relevant containers ? > -- > > > *Christian Tardif*christian.tar...@servinfo.ca > > SVP, pensez à l’environnement avant d’imprimer ce message. > > > > -- Message d'origine -- > De: "Dave Walker" <em...@daviey.com> > À: "OpenStack Development Mailing List (not for usage questions)" < > openstack-dev@lists.openstack.org> > Envoyé : 2017-02-01 11:39:15 > Objet : Re: [openstack-dev] [kolla] Domains support > > Hi Christian, > > I added the domain support, but I didn't document it as well as I should > have. Apologies! > > This is the config I am using to talk to a windows AD server. Hope this > helps. > > create a domain specific file: > etc/keystone/domains/keystone.$DOMAIN.conf: > > [ldap] > use_pool = true > pool_size = 10 > pool_retry_max = 3 > pool_retry_delay = 0.1 > pool_connection_timeout = -1 > pool_connection_lifetime = 600 > use_auth_pool = false > auth_pool_size = 100 > auth_pool_connection_lifetime = 60 > url = ldap://server1:389,ldap://server2:389 > user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com > password = password > suffix = dc=example,dc=com > user_tree_dn = OU=Personnel,OU=Users,OU= > example,DC=example,DC=com > user_objectclass = person > user_filter = (memberOf=CN=mail,OU=GPO > Security,OU=Groups,OU=COMPANY,DC=example,DC=com) > user_id_attribute= sAMAccountName > user_name_attribute = sAMAccountName > user_description_attribute = displayName > user_mail_attribute = mail > user_pass_attribute = > user_enabled_attribute = userAccountControl > user_enabled_mask= 2 > user_enabled_default = 512 > user_attribute_ignore= password,tenant_id,tenants > group_tree_dn= OU=GPO Security,OU=Groups,OU=COMPANY, > DC=example,DC=com > group_name_attribute = name > group_id_attribute = cn > group_objectclass= group > group_member_attribute = member > > [identity] > driver = keystone.identity.backends.ldap.Identity > > [assignment] > driver = keystone.assignment.backends.sql.Assignment > > -- > Kind Regards, > Dave Walker > > On 1 February 2017 at 05:03, Christian Tardif < > christian.tar...@servinfo.ca> wrote: > >> Hi, >> >> I'm looking for domains support in Kolla. I've searched, but didn't find >> anything relevant. Could someone point me how to achieve this? >> >> What I'm really looking for, in fact, is a decent way or setting auth >> through LDAP backend while keeping service users (neutron, for example) in >> the SQL backend. I know that this can be achieved with domains support >> (leaving default domain on SQL, and another domain for LDAP users. Or maybe >> there's another of doing this? >> >> Thanks, >> -- >> >> >> *Christian Tardif*christian.tar...@servinfo.ca >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Domains support
Will sure give it a try ! And from a kolla perspective, it means that this file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be pushed to the relevant containers ? Christian Tardif christian.tar...@servinfo.ca SVP, pensez à l’environnement avant d’imprimer ce message. -- Message d'origine -- De: "Dave Walker" <em...@daviey.com> À: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org> Envoyé : 2017-02-01 11:39:15 Objet : Re: [openstack-dev] [kolla] Domains support Hi Christian, I added the domain support, but I didn't document it as well as I should have. Apologies! This is the config I am using to talk to a windows AD server. Hope this helps. create a domain specific file: etc/keystone/domains/keystone.$DOMAIN.conf: [ldap] use_pool = true pool_size = 10 pool_retry_max = 3 pool_retry_delay = 0.1 pool_connection_timeout = -1 pool_connection_lifetime = 600 use_auth_pool = false auth_pool_size = 100 auth_pool_connection_lifetime = 60 url = ldap://server1:389,ldap://server2:389 user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com password = password suffix = dc=example,dc=com user_tree_dn = OU=Personnel,OU=Users,OU=example,DC=example,DC=com user_objectclass = person user_filter = (memberOf=CN=mail,OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com) user_id_attribute= sAMAccountName user_name_attribute = sAMAccountName user_description_attribute = displayName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask= 2 user_enabled_default = 512 user_attribute_ignore= password,tenant_id,tenants group_tree_dn= OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com group_name_attribute = name group_id_attribute = cn group_objectclass= group group_member_attribute = member [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment -- Kind Regards, Dave Walker On 1 February 2017 at 05:03, Christian Tardif <christian.tar...@servinfo.ca> wrote: Hi, I'm looking for domains support in Kolla. I've searched, but didn't find anything relevant. Could someone point me how to achieve this? What I'm really looking for, in fact, is a decent way or setting auth through LDAP backend while keeping service users (neutron, for example) in the SQL backend. I know that this can be achieved with domains support (leaving default domain on SQL, and another domain for LDAP users. Or maybe there's another of doing this? Thanks, Christian Tardif christian.tar...@servinfo.ca __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Domains support
Hi Christian, I added the domain support, but I didn't document it as well as I should have. Apologies! This is the config I am using to talk to a windows AD server. Hope this helps. create a domain specific file: etc/keystone/domains/keystone.$DOMAIN.conf: [ldap] use_pool = true pool_size = 10 pool_retry_max = 3 pool_retry_delay = 0.1 pool_connection_timeout = -1 pool_connection_lifetime = 600 use_auth_pool = false auth_pool_size = 100 auth_pool_connection_lifetime = 60 url = ldap://server1:389,ldap://server2:389 user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com password = password suffix = dc=example,dc=com user_tree_dn = OU=Personnel,OU=Users,OU=example,DC=example,DC=com user_objectclass = person user_filter = (memberOf=CN=mail,OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com) user_id_attribute= sAMAccountName user_name_attribute = sAMAccountName user_description_attribute = displayName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask= 2 user_enabled_default = 512 user_attribute_ignore= password,tenant_id,tenants group_tree_dn= OU=GPO Security,OU=Groups,OU=COMPANY,DC=example,DC=com group_name_attribute = name group_id_attribute = cn group_objectclass= group group_member_attribute = member [identity] driver = keystone.identity.backends.ldap.Identity [assignment] driver = keystone.assignment.backends.sql.Assignment -- Kind Regards, Dave Walker On 1 February 2017 at 05:03, Christian Tardifwrote: > Hi, > > I'm looking for domains support in Kolla. I've searched, but didn't find > anything relevant. Could someone point me how to achieve this? > > What I'm really looking for, in fact, is a decent way or setting auth > through LDAP backend while keeping service users (neutron, for example) in > the SQL backend. I know that this can be achieved with domains support > (leaving default domain on SQL, and another domain for LDAP users. Or maybe > there's another of doing this? > > Thanks, > -- > > > *Christian Tardif*christian.tar...@servinfo.ca > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [kolla] Domains support
Hi, I'm looking for domains support in Kolla. I've searched, but didn't find anything relevant. Could someone point me how to achieve this? What I'm really looking for, in fact, is a decent way or setting auth through LDAP backend while keeping service users (neutron, for example) in the SQL backend. I know that this can be achieved with domains support (leaving default domain on SQL, and another domain for LDAP users. Or maybe there's another of doing this? Thanks, Christian Tardif christian.tar...@servinfo.ca __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev