Ask Your Question

Keystone auhentication with database and LDAP [closed]

asked 2017-10-25 04:36:18 -0500

tk8 gravatar image

Hi there,

is it possible to enable LDAP and database authentication in Keystone? I manually installed openstack and used username/password for each service account. In my environment we have employees who can authenticate via LDAP and we have trainees who get only a local user account. Can I transfer this to the openstack installation, so that employees can use their LDAP account and trainees get an local account in the SQL-database? It would be nice if someone can give me the configuration if it is possible.

Thank you for your answers

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by tk8
close date 2017-11-13 08:29:28.388213

1 answer

Sort by ยป oldest newest most voted

answered 2017-10-25 05:39:14 -0500

If you put trainees in a different domain than regular employees, yes. You can set up a different identity backend (SQL or LDAP) for each domain. See this guide:

Even if users are in different domains, they can participate in the same project. For example, you could define all your projects in the regular-employee domain, and give trainees roles in those projects.

edit flag offensive delete link more


If I correctly understand the it, I have to use a default configuration file for the default domain with SQL? Then I create other domains with specific configuration files. That means one employee-domain and one trainee-domain. Is that right?

tk8 gravatar imagetk8 ( 2017-10-25 07:07:08 -0500 )edit

Not absolutely required, but a clean solution. You could put the trainees (for example) in the default domain, but once you start using domains, it's good practice to only keep the service users and the cloud admin in the default domain.

Bernd Bausch gravatar imageBernd Bausch ( 2017-10-25 22:48:11 -0500 )edit

Here is an old (Juno version) blog entry about the same subject:

Start reading at "Add a domain for the LDAP backed"

Bernd Bausch gravatar imageBernd Bausch ( 2017-10-25 22:49:48 -0500 )edit

Thanks for your help. I've got two questions. First: I created the domains folder in /etc/keystone and set rights to keystone user and group. Is that right? Second: I created two domains and want to give trainees permission to a VM. I crated a role but I don't get it how to set the rights.

tk8 gravatar imagetk8 ( 2017-11-08 12:47:28 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-10-25 04:36:18 -0500

Seen: 80 times

Last updated: Oct 25 '17