Can LDAP and SQL authentication be used together

asked 2016-12-20 13:43:19 -0500

xdaxdb gravatar image

I'd like to have users be able to authenticate using their LDAP credentials, but have admin authentication remain in SQL only. I do not want to use LDAP groups for authorization.

Is this a common configuration? So far I get the impression it is not.

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted

answered 2016-12-21 03:23:48 -0500

albertomolina gravatar image

updated 2016-12-29 04:37:09 -0500

Yes, it's a common configuration and it can be solved easily with keystone v3 that allows you to define domains and you can use a different authentication method to each domain.

This blog post can help you:

edit flag offensive delete link more


I'm not seeing an example of creating a sql driver domain anywhere.

xdaxdb gravatar imagexdaxdb ( 2016-12-24 02:01:36 -0500 )edit

Actually I get it now, you don't need to make a sql domain you just leave the existing non-domain config as is and your LDAP config within the domain config file. The openstack docs were detailed on this also I just wasn't catching this particular detail.

xdaxdb gravatar imagexdaxdb ( 2016-12-24 02:19:08 -0500 )edit

answered 2016-12-20 17:57:06 -0500

Would this help: "[a solution] where service accounts live in Keystone’s SQL backend and if users fail to authenticate there they fallback to LDAP"

edit flag offensive delete link more


Does the linked solution pre-date keystone v3? It seems clever, but a configuration that requires a third-party script feels a bit hacky to me. Difficult to document. I'll keep it in mind though.

xdaxdb gravatar imagexdaxdb ( 2016-12-24 02:13:19 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-12-20 13:43:19 -0500

Seen: 459 times

Last updated: Dec 29 '16