Ask Your Question

Is is possible to configure Keystone and AD for password authorization only?

asked 2013-09-15 19:46:36 -0500

badkarma gravatar image

Hi All,

We are in the middle of a proof of concept and our current (outdated) cloud system has the ability to just authenticate a user via AD, all user and security information is stored in the cloud software's database

Does Keystone have this ability? We are not part of the IT group that manages AD, and would prefer not adding Tenant information to production AD, but keep it in Keystone and just use AD for authorization purposes only.

If this is not possible, could we use something like openldap with the user/tenant info in it and sync it's passwords with AD?

I'm not an LDAP/AD guru so be gentle :)

Thanks for any help

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-09-16 00:29:42 -0500

tim-bell gravatar image
edit flag offensive delete link more

answered 2014-07-10 00:59:05 -0500

DeepVish gravatar image

Yes, It possible to just use Active Directory for user authentication, and the mysql/postgres database on keystone server to store the Tenant, Role and UserTenantRole mapping.

You need to enable driver in [assignment] in keystone.conf [assignment] driver = keystone.assignment.backends.sql.Assignment

I tried this with openldap and keystone(IceHouse). I am able to use ldap user to create the container/object in swift which is configured with keystone.

After adding in [assignment] don't forget to add role, tenant and UserTenantRole mapping.

edit flag offensive delete link more


I assume I need to create all existing service accounts (glance, cinder, neutron, etc.) in AD before enabling this along with "correct" passwords?

LewisMarshall gravatar imageLewisMarshall ( 2014-09-02 04:44:33 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-09-15 19:46:36 -0500

Seen: 129 times

Last updated: Jul 10 '14