[openstack-dev] [kolla] Domains support
Gema Gomez
gema at ggomez.me
Thu Feb 2 19:10:51 UTC 2017
Hi,
we've done this last week at Linaro. I have documented the process in a
blog post that is a walkthrough of a post by Steve Martinelli[1] from
the keystone team:
http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/
At the bottom of it there is a gerrit review with a patch to our ansible
playbooks that adds support for LDAP authentication. We kept the default
domain for services accounts and any other that needs to be managed
outside LDAP and then we have the LDAP domain for the actual end users.
Happy to review any patches or help with whichever one you are producing.
Hope that helps,
Gema
[1]
https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/
On 02/02/17 16:07, Dave Walker wrote:
> Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf
>
> Thanks
>
> On 2 February 2017 at 00:20, Christian Tardif
> <christian.tardif at servinfo.ca <mailto:christian.tardif at servinfo.ca>> wrote:
>
> Will sure give it a try ! And from a kolla perspective, it means
> that this file should go in
> /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be
> pushed to the relevant containers ?
> ------------------------------------------------------------------------
>
> *Christian Tardif
> *christian.tardif at servinfo.ca <mailto:christian.tardif at servinfo.ca>
>
> SVP, pensez � l�environnement avant d�imprimer ce message.
>
>
>
>
> ------ Message d'origine ------
> De: "Dave Walker" <email at daviey.com <mailto:email at daviey.com>>
> �: "OpenStack Development Mailing List (not for usage questions)"
> <openstack-dev at lists.openstack.org
> <mailto:openstack-dev at lists.openstack.org>>
> Envoy� : 2017-02-01 11:39:15
> Objet : Re: [openstack-dev] [kolla] Domains support
>
>> Hi Christian,
>>
>> I added the domain support, but I didn't document it as well as I
>> should have. Apologies!
>>
>> This is the config I am using to talk to a windows AD server.
>> Hope this helps.
>>
>> create a domain specific file:
>> etc/keystone/domains/keystone.$DOMAIN.conf:
>>
>> [ldap]
>> use_pool = true
>> pool_size = 10
>> pool_retry_max = 3
>> pool_retry_delay = 0.1
>> pool_connection_timeout = -1
>> pool_connection_lifetime = 600
>> use_auth_pool = false
>> auth_pool_size = 100
>> auth_pool_connection_lifetime = 60
>> url = ldap://server1:389,ldap://server2:389
>> user = CN=Linux SSSD Kerberos Service
>> Account,CN=Users,DC=example,DC=com
>> password = password
>> suffix = dc=example,dc=com
>> user_tree_dn =
>> OU=Personnel,OU=Users,OU=example,DC=example,DC=com
>> user_objectclass = person
>> user_filter = (memberOf=CN=mail,OU=GPO
>> Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
>> user_id_attribute = sAMAccountName
>> user_name_attribute = sAMAccountName
>> user_description_attribute = displayName
>> user_mail_attribute = mail
>> user_pass_attribute =
>> user_enabled_attribute = userAccountControl
>> user_enabled_mask = 2
>> user_enabled_default = 512
>> user_attribute_ignore = password,tenant_id,tenants
>> group_tree_dn = OU=GPO
>> Security,OU=Groups,OU=COMPANY,DC=example,DC=com
>> group_name_attribute = name
>> group_id_attribute = cn
>> group_objectclass = group
>> group_member_attribute = member
>>
>> [identity]
>> driver = keystone.identity.backends.ldap.Identity
>>
>> [assignment]
>> driver = keystone.assignment.backends.sql.Assignment
>>
>> --
>> Kind Regards,
>> Dave Walker
>>
>> On 1 February 2017 at 05:03, Christian Tardif
>> <christian.tardif at servinfo.ca
>> <mailto:christian.tardif at servinfo.ca>> wrote:
>>
>> Hi,
>>
>> I'm looking for domains support in Kolla. I've searched, but
>> didn't find anything relevant. Could someone point me how to
>> achieve this?
>>
>> What I'm really looking for, in fact, is a decent way or
>> setting auth through LDAP backend while keeping service users
>> (neutron, for example) in the SQL backend. I know that this
>> can be achieved with domains support (leaving default domain
>> on SQL, and another domain for LDAP users. Or maybe there's
>> another of doing this?
>>
>> Thanks,
>> ------------------------------------------------------------------------
>>
>> *Christian Tardif
>> *christian.tardif at servinfo.ca
>> <mailto:christian.tardif at servinfo.ca>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list