Open Stack

Hi Christian,

I added the domain support, but I didn't document it as well as I should
have. Apologies!

This is the config I am using to talk to a windows AD server.  Hope this
helps.

create a domain specific file:
etc/keystone/domains/keystone.$DOMAIN.conf:

[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60
url = ldap://server1:389,ldap://server2:389
user = CN=Linux SSSD Kerberos Service Account,CN=Users,DC=example,DC=com
password                 = password
suffix                   = dc=example,dc=com
user_tree_dn             =
OU=Personnel,OU=Users,OU=example,DC=example,DC=com
user_objectclass         = person
user_filter              = (memberOf=CN=mail,OU=GPO
Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
user_id_attribute        = sAMAccountName
user_name_attribute      = sAMAccountName
user_description_attribute = displayName
user_mail_attribute      = mail
user_pass_attribute      =
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    = password,tenant_id,tenants
group_tree_dn            = OU=GPO
Security,OU=Groups,OU=COMPANY,DC=example,DC=com
group_name_attribute     = name
group_id_attribute       = cn
group_objectclass        = group
group_member_attribute   = member

[identity]
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

--
Kind Regards,
Dave Walker

On 1 February 2017 at 05:03, Christian Tardif <christian.tardif at servinfo.ca>
wrote:

> Hi,
>
> I'm looking for domains support in Kolla. I've searched, but didn't find
> anything relevant. Could someone point me how to achieve this?
>
> What I'm really looking for, in fact, is a decent way or setting auth
> through LDAP backend while keeping service users (neutron, for example) in
> the SQL backend. I know that this can be achieved with domains support
> (leaving default domain on SQL, and another domain for LDAP users. Or maybe
> there's another of doing this?
>
> Thanks,
> ------------------------------
>
>
> *Christian Tardif*christian.tardif at servinfo.ca
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170201/ed4efa20/attachment.html>