Hello, On Wed, May 20, 2020, at 05:51, CHANU ROMAIN wrote:
Hello,
You can use multi domain authentification.
One using LDAP and an other one using database
https://docs.openstack.org/keystone/latest/admin/configuration.html
Romain is right, use domain-specific configuration to configure a different identity backend for non-service users. The specific section of that page that addresses this is here: https://docs.openstack.org/keystone/latest/admin/configuration.html#domain-s... Colleen
Best regards,
Romain
*From:* Amjad Kotobi <kotobi@dkrz.de> *Sent:* Wednesday, May 20, 2020 2:41 PM *To:* openstack-discuss@lists.openstack.org *Subject:* [keystone][ldap] Hi all,
I’m integrating keystone with LDAP, and having “service account” e.g. Nova, keystone etc.. which are in database. As soon as connecting it to ldap all authentication getting failed, how can I have both “service account” and “LDAP users” connected to Keystone?
Here is my keystone.conf
################### [ldap]
url = ldap://XXXXX <https://www.fastmail.com/mail/openstack.keystone/Tef053cca916ee121.M831710669b00344a6cf2505f?u=558940b1> user = uid=XXX,cn=sysaccounts,cn=etc,dc=XXX,dc=de password = dkrzprox user_tree_dn = cn=users,cn=accounts,dc=XXX,dc=de user_objectclass = posixAccount user_id_attribute = uid user_name_attribute = uid user_allow_create = false user_allow_update = false user_allow_delete = false group_tree_dn = cn=groups,cn=accounts,dc=XXX,dc=de group_objectclass = groupOfNames group_id_attribute = cn group_name_attribute = cn group_member_attribute = member group_desc_attribute = description group_allow_create = false group_allow_update = false group_allow_delete = false use_pool = true use_auth_pool = true debug_level = 4095 query_scope = sub
[identity]
driver = ldap
#####################
OS: Centos7 OpenStack-Release: Train
Any idea or example of options gonna be great!
Thank you