What is the purpose of LDAP groups to Keystone?

asked 2014-01-29 22:16:35 -0500

mfischer gravatar image

For keystone I understand the purpose of users, tenants, and roles, but when I use LDAP as a backend, what is the purpose of the LDAP groups? Are they supposed to replace tenants or roles or instead can I use the groups to assign roles to? For example, assign the Admin role to everyone in a certain group? (If so, I'd like to know how to do this with the CLI tool since the option is either missing or non-obvious).

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-06-07 09:21:22 -0500

mpetason gravatar image

Groups can be used like groups in other applications. You can assign groups to projects instead of users. That way you aren't assigning a new user to a group every time you have to create one, instead you are assigning a group to a project then adding the user to the group in your user directory.

Groups can be managed through Horizon if you turn on the v3 API in keystone and point to the v3 API in Horizon. This will give you access to groups/users/roles/domains/projects. You could also use the keystone CLI if it's setup for v3 and your endpoint is v3.

edit flag offensive delete link more


We tried setup with groups, it is working but nested group are not working. Does keystone support nested group ?

DeepVish gravatar imageDeepVish ( 2014-07-11 01:45:02 -0500 )edit

If you are using AD there is a search string you can use. It supports searches that will get nested groups:


mpetason gravatar imagempetason ( 2014-07-11 16:24:50 -0500 )edit

answered 2014-01-30 00:14:52 -0500

tim-bell gravatar image

We use LDAP groups at CERN to assign sets of people to roles. Since there are many IT applications and filesystems which need controlling and securing, a single place to manage people's responsibilities is a necessity.

Thus, someone who is part of our hardware maintenance team is part of a group. This group is given a role in OpenStack which allows them to open the console of virtual machines, suspend/resume, etc. The members of this group are also given some sudo rights on the hypervisors which is set by Puppet from the same LDAP source.

Thus, we manage membership of a group in LDAP and use Keystone to define the role associated with that group of users.

edit flag offensive delete link more


Using groups to assign roles makes a lot of sense but how do you do the assignment? Do you pass the groupid in place of user id in the CLI?

mfischer gravatar imagemfischer ( 2014-01-30 08:00:07 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-01-29 22:16:35 -0500

Seen: 856 times

Last updated: Jun 07 '14