[keystone][ldap]

Colleen Murphy colleen at gazlene.net
Wed May 20 16:42:40 UTC 2020 

Hello,

On Wed, May 20, 2020, at 05:51, CHANU ROMAIN wrote:
> Hello,
> 
> 
> 
> You can use multi domain authentification.
> 
> 
> 
> One using LDAP and an other one using database
> 
> 
> 
> https://docs.openstack.org/keystone/latest/admin/configuration.html

Romain is right, use domain-specific configuration to configure a different identity backend for non-service users. The specific section of that page that addresses this is here:

https://docs.openstack.org/keystone/latest/admin/configuration.html#domain-specific-configuration

Colleen

> 
> 
> 
> Best regards,
> 
> Romain
> 
> *From:* Amjad Kotobi <kotobi at dkrz.de>
> *Sent:* Wednesday, May 20, 2020 2:41 PM
> *To:* openstack-discuss at lists.openstack.org
> *Subject:* [keystone][ldap] 
> Hi all, 
> 
> I’m integrating keystone with LDAP, and having “service account” e.g. 
> Nova, keystone etc.. which are in database.
> As soon as connecting it to ldap all authentication getting failed, how 
> can I have both “service account” and “LDAP users” connected to 
> Keystone?
> 
> Here is my keystone.conf 
> 
> 
> ###################
>  [ldap]
> 
>  url = ldap://XXXXX 
> <https://www.fastmail.com/mail/openstack.keystone/Tef053cca916ee121.M831710669b00344a6cf2505f?u=558940b1>
>  user = uid=XXX,cn=sysaccounts,cn=etc,dc=XXX,dc=de
>  password = dkrzprox
>  user_tree_dn = cn=users,cn=accounts,dc=XXX,dc=de
>  user_objectclass = posixAccount
>  user_id_attribute = uid
>  user_name_attribute = uid
>  user_allow_create = false
>  user_allow_update = false
>  user_allow_delete = false
>  group_tree_dn = cn=groups,cn=accounts,dc=XXX,dc=de
>  group_objectclass = groupOfNames
>  group_id_attribute = cn
>  group_name_attribute = cn
>  group_member_attribute = member
>  group_desc_attribute = description
>  group_allow_create = false
>  group_allow_update = false
>  group_allow_delete = false
>  use_pool = true
>  use_auth_pool = true
>  debug_level = 4095
>  query_scope = sub
> 
> [identity]
> 
> driver = ldap
> 
> #####################
> 
> OS: Centos7
> OpenStack-Release: Train
> 
> Any idea or example of options gonna be great!
> 
> 
> Thank you
> 
> 
>

More information about the openstack-discuss mailing list