How to manage Roles, Projects via LDAP and devstack?
Hello, I've installed an openstack development environment thanks to devstack and I wanted to use LDAP with it. To do that, I've added these lines in my localrc file:
enable_service ldap
KEYSTONE_CLEAR_LDAP=yes
KEYSTONE_IDENTITY_BACKEND=ldap
In my keystone.conf, I have the pleasure to see these settings:
[identity]
driver = keystone.identity.backends.ldap.Identity
[ldap]
user_tree_dn = ou=Users,dc=openstack,dc=org
user_domain_id_attribute = businessCategory
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
tenant_desc_attribute = description
tenant_domain_id_attribute = businessCategory
tenant_attribute_ignore = enabled
user_attribute_ignore = enabled,email,tenants,default_project_id
use_dumb_member = True
suffix = dc=openstack,dc=org
user = dc=Manager,dc=openstack,dc=org
password = pass
I can see the different entries: Projects, Roles, Users, UserGroups.
Adding an user via horizon adds an entry in Users. However, adding Roles or Projects add entries in the sql database.
Does devstack support LDAP for all the four features or is my configuration file wrong ?
Check the "assignment" driver and see if it's using SQL for the driver. If so then you can comment it out and it should use ldap for both. You probably don't want to use LDAP for both if you have AD, it's a more complex setup. It's "easier" to use sql for roles/projects.