[openstack-dev] [kolla] Domains support

Christian Tardif christian.tardif at servinfo.ca
Fri Feb 10 03:56:41 UTC 2017 

OK great !!!

Now, I have a working LDAP setup!  Thanks for your help.

Now, about the modifications done to Horizon's config file (in fact, in 
local_settings), I had to perform these changes through the 
local_settings.j2 template file. Is this the place where modifications 
go or is there any place in the kolla's override config directory where 
I could set that ?

--------------------------------------------------------------------------------
Christian Tardif




------ Message d'origine ------
De: "Gema Gomez" <gema at ggomez.me>
À: openstack-dev at lists.openstack.org
Envoyé : 2017-02-02 14:10:51
Objet : Re: [openstack-dev] [kolla] Domains support

>Hi,
>
>we've done this last week at Linaro. I have documented the process in a
>blog post that is a walkthrough of a post by Steve Martinelli[1] from
>the keystone team:
>
>http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/
>
>At the bottom of it there is a gerrit review with a patch to our 
>ansible
>playbooks that adds support for LDAP authentication. We kept the 
>default
>domain for services accounts and any other that needs to be managed
>outside LDAP and then we have the LDAP domain for the actual end users.
>
>Happy to review any patches or help with whichever one you are 
>producing.
>
>Hope that helps,
>Gema
>
>[1]
>https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/
>
>On 02/02/17 16:07, Dave Walker wrote:
>>  Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf
>>
>>  Thanks
>>
>>  On 2 February 2017 at 00:20, Christian Tardif
>>  <christian.tardif at servinfo.ca <mailto:christian.tardif at servinfo.ca>> 
>>wrote:
>>
>>      Will sure give it a try ! And from a kolla perspective, it means
>>      that this file should go in
>>      /etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be
>>      pushed to the relevant containers ?
>>      
>>------------------------------------------------------------------------
>>
>>      *Christian Tardif
>>      *christian.tardif at servinfo.ca 
>><mailto:christian.tardif at servinfo.ca>
>>
>>      SVP, pensez � l�environnement avant d�imprimer ce message.
>>
>>
>>
>>
>>      ------ Message d'origine ------
>>      De: "Dave Walker" <email at daviey.com <mailto:email at daviey.com>>
>>      �: "OpenStack Development Mailing List (not for usage 
>>questions)"
>>      <openstack-dev at lists.openstack.org
>>      <mailto:openstack-dev at lists.openstack.org>>
>>      Envoy� : 2017-02-01 11:39:15
>>      Objet : Re: [openstack-dev] [kolla] Domains support
>>
>>>      Hi Christian,
>>>
>>>      I added the domain support, but I didn't document it as well as 
>>>I
>>>      should have. Apologies!
>>>
>>>      This is the config I am using to talk to a windows AD server.
>>>      Hope this helps.
>>>
>>>      create a domain specific file:
>>>      etc/keystone/domains/keystone.$DOMAIN.conf:
>>>
>>>      [ldap]
>>>      use_pool = true
>>>      pool_size = 10
>>>      pool_retry_max = 3
>>>      pool_retry_delay = 0.1
>>>      pool_connection_timeout = -1
>>>      pool_connection_lifetime = 600
>>>      use_auth_pool = false
>>>      auth_pool_size = 100
>>>      auth_pool_connection_lifetime = 60
>>>      url = ldap://server1:389,ldap://server2:389
>>>      user = CN=Linux SSSD Kerberos Service
>>>      Account,CN=Users,DC=example,DC=com
>>>      password                 = password
>>>      suffix                   = dc=example,dc=com
>>>      user_tree_dn             =
>>>      OU=Personnel,OU=Users,OU=example,DC=example,DC=com
>>>      user_objectclass         = person
>>>      user_filter              = (memberOf=CN=mail,OU=GPO
>>>      Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
>>>      user_id_attribute        = sAMAccountName
>>>      user_name_attribute      = sAMAccountName
>>>      user_description_attribute = displayName
>>>      user_mail_attribute      = mail
>>>      user_pass_attribute      =
>>>      user_enabled_attribute   = userAccountControl
>>>      user_enabled_mask        = 2
>>>      user_enabled_default     = 512
>>>      user_attribute_ignore    = password,tenant_id,tenants
>>>      group_tree_dn            = OU=GPO
>>>      Security,OU=Groups,OU=COMPANY,DC=example,DC=com
>>>      group_name_attribute     = name
>>>      group_id_attribute       = cn
>>>      group_objectclass        = group
>>>      group_member_attribute   = member
>>>
>>>      [identity]
>>>      driver = keystone.identity.backends.ldap.Identity
>>>
>>>      [assignment]
>>>      driver = keystone.assignment.backends.sql.Assignment
>>>
>>>      --
>>>      Kind Regards,
>>>      Dave Walker
>>>
>>>      On 1 February 2017 at 05:03, Christian Tardif
>>>      <christian.tardif at servinfo.ca
>>>      <mailto:christian.tardif at servinfo.ca>> wrote:
>>>
>>>          Hi,
>>>
>>>          I'm looking for domains support in Kolla. I've searched, but
>>>          didn't find anything relevant. Could someone point me how to
>>>          achieve this?
>>>
>>>          What I'm really looking for, in fact, is a decent way or
>>>          setting auth through LDAP backend while keeping service 
>>>users
>>>          (neutron, for example) in the SQL backend. I know that this
>>>          can be achieved with domains support (leaving default domain
>>>          on SQL, and another domain for LDAP users. Or maybe there's
>>>          another of doing this?
>>>
>>>          Thanks,
>>>          
>>>------------------------------------------------------------------------
>>>
>>>          *Christian Tardif
>>>          *christian.tardif at servinfo.ca
>>>          <mailto:christian.tardif at servinfo.ca>
>>>
>>>
>>>          
>>>__________________________________________________________________________
>>>          OpenStack Development Mailing List (not for usage questions)
>>>          Unsubscribe:
>>>          
>>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>          
>>><http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>>          
>>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>          
>>><http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>>>
>>>
>>
>>      
>>__________________________________________________________________________
>>      OpenStack Development Mailing List (not for usage questions)
>>      Unsubscribe:
>>      OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>      
>><http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>      http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>      
>><http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>>
>>
>>
>>
>>  
>>__________________________________________________________________________
>>  OpenStack Development Mailing List (not for usage questions)
>>  Unsubscribe: 
>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: 
>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list