Open Stack

Will sure give it a try ! And from a kolla perspective, it means that 
this file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf 
in order to be pushed to the relevant containers ?
--------------------------------------------------------------------------------
Christian Tardif
christian.tardif at servinfo.ca

SVP, pensez à l’environnement avant d’imprimer ce message.




------ Message d'origine ------
De: "Dave Walker" <email at daviey.com>
À: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev at lists.openstack.org>
Envoyé : 2017-02-01 11:39:15
Objet : Re: [openstack-dev] [kolla] Domains support

>Hi Christian,
>
>I added the domain support, but I didn't document it as well as I 
>should have. Apologies!
>
>This is the config I am using to talk to a windows AD server.  Hope 
>this helps.
>
>create a domain specific file:
>etc/keystone/domains/keystone.$DOMAIN.conf:
>
>[ldap]
>use_pool = true
>pool_size = 10
>pool_retry_max = 3
>pool_retry_delay = 0.1
>pool_connection_timeout = -1
>pool_connection_lifetime = 600
>use_auth_pool = false
>auth_pool_size = 100
>auth_pool_connection_lifetime = 60
>url = ldap://server1:389,ldap://server2:389
>user = CN=Linux SSSD Kerberos Service 
>Account,CN=Users,DC=example,DC=com
>password                 = password
>suffix                   = dc=example,dc=com
>user_tree_dn             = 
>OU=Personnel,OU=Users,OU=example,DC=example,DC=com
>user_objectclass         = person
>user_filter              = (memberOf=CN=mail,OU=GPO 
>Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
>user_id_attribute        = sAMAccountName
>user_name_attribute      = sAMAccountName
>user_description_attribute = displayName
>user_mail_attribute      = mail
>user_pass_attribute      =
>user_enabled_attribute   = userAccountControl
>user_enabled_mask        = 2
>user_enabled_default     = 512
>user_attribute_ignore    = password,tenant_id,tenants
>group_tree_dn            = OU=GPO 
>Security,OU=Groups,OU=COMPANY,DC=example,DC=com
>group_name_attribute     = name
>group_id_attribute       = cn
>group_objectclass        = group
>group_member_attribute   = member
>
>[identity]
>driver = keystone.identity.backends.ldap.Identity
>
>[assignment]
>driver = keystone.assignment.backends.sql.Assignment
>
>--
>Kind Regards,
>Dave Walker
>
>On 1 February 2017 at 05:03, Christian Tardif 
><christian.tardif at servinfo.ca> wrote:
>>Hi,
>>
>>I'm looking for domains support in Kolla. I've searched, but didn't 
>>find anything relevant. Could someone point me how to achieve this?
>>
>>What I'm really looking for, in fact, is a decent way or setting auth 
>>through LDAP backend while keeping service users (neutron, for 
>>example) in the SQL backend. I know that this can be achieved with 
>>domains support (leaving default domain on SQL, and another domain for 
>>LDAP users. Or maybe there's another of doing this?
>>
>>Thanks,
>>--------------------------------------------------------------------------------
>>Christian Tardif
>>christian.tardif at servinfo.ca
>>
>>
>>__________________________________________________________________________
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: 
>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170202/bfe3d6b9/attachment.html>