[Openstack-operators] Migration to LDAP / default domain questions

Antonio Messina antonio.s.messina at gmail.com
Fri Jul 29 08:14:12 UTC 2016


Hi Ben,

We recently migrated from single-domain to multi-domain. However, in
our case the situation was a bit different. The cloud was already in
production with default domain pointing to LDAP, and we didn't really
want to update every resource, so we kept the default domain to ldap
and we added a second domain to SQL.

We also moved all the services to SQL accounts. Although nova,
glance,cinder, swift and neutron work pretty well with multidomain
(once you figured out the proper options in the config file)
ceilometer is still not working with keystone v3, so for that service
we still use an ldap account.

Tenants are still in the "default" domain, as they are stored in SQL anyway.

Back to your question: if you only need to add the corresponding users
in domain ldap on the same project in default domain you can do
something like:

for user in $(openstack user list --domain default -c Name -f value)
do
  for project in $(openstack role assignment list --user $user
--user-domain default --project-domain default -c Project -f value)
    # assuming all users will be added as "Member", otherwise you have
to add a loop here
    openstack role add --user $user --user-domain ldap --project
$project --project-domain default Member
  done
done

but if you also moved the projects from sql to ldap, or you want to
update the DB and retain historical information, well that's another
story, and I would think twice :)

.a.


2016-07-06 16:23 GMT+02:00 Ben Morrice <ben.morrice at epfl.ch>:
> Hello,
>
> We have a small private OpenStack deployment with 300 VMs across 2 regions.
> We currently use the Keystone v2.0 API and all accounts are currently stored
> in SQL.
>
> We would like to move keystone to authenticate users from LDAP (identity),
> whilst still having the service accounts stored in SQL (migrating to
> Keystone v3 in the process).
>
> In our testing environment we have configured domain-specific drivers to
> support the above configuration, with the 'default' domain being SQL and a
> separate domain 'ldap' for credentials from LDAP.
>
> Usernames are the same for accounts in both 'default' and 'ldap'.
> Assignments would still reside in SQL.
>
> This setup works for the creation of new resources, however any resources
> defined in the old domain ('default') is obviously not available in the
> 'ldap' domain.
>
> Has anyone migrated resources between domains? There doesn't appear to be
> any OpenStack tooling to support this (?).
>
> Or is the solution to simply configure the ldap domain named as 'default'
> and the SQL domain named as something like 'services' ?
>
> --
> Kind regards,
>
> Ben Morrice
>
> ______________________________________________________________________
> Ben Morrice | e: ben.morrice at epfl.ch | t: +41-21-693-9670
> EPFL ENT CBS BBP
> Biotech Campus
> Chemin des Mines 9
> 1202 Geneva
> Switzerland
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



-- 
antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland



More information about the OpenStack-operators mailing list