Ask Your Question

How to manage Roles, Projects via LDAP and devstack?

asked 2013-11-20 06:56:39 -0500

Romain gravatar image

updated 2013-11-20 13:27:13 -0500

smaffulli gravatar image

Hello, I've installed an openstack development environment thanks to devstack and I wanted to use LDAP with it. To do that, I've added these lines in my localrc file:

enable_service ldap

In my keystone.conf, I have the pleasure to see these settings:

driver = keystone.identity.backends.ldap.Identity
user_tree_dn = ou=Users,dc=openstack,dc=org
user_domain_id_attribute = businessCategory
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
tenant_desc_attribute = description
tenant_domain_id_attribute = businessCategory
tenant_attribute_ignore = enabled
user_attribute_ignore = enabled,email,tenants,default_project_id
use_dumb_member = True
suffix = dc=openstack,dc=org
user = dc=Manager,dc=openstack,dc=org
password = pass

I can see the different entries: Projects, Roles, Users, UserGroups.

Adding an user via horizon adds an entry in Users. However, adding Roles or Projects add entries in the sql database.

Does devstack support LDAP for all the four features or is my configuration file wrong ?

edit retag flag offensive close merge delete


Check the "assignment" driver and see if it's using SQL for the driver. If so then you can comment it out and it should use ldap for both. You probably don't want to use LDAP for both if you have AD, it's a more complex setup. It's "easier" to use sql for roles/projects.

mpetason gravatar imagempetason ( 2014-04-30 20:36:57 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2013-12-04 06:03:16 -0500

Hi, I don't know how to answer your question, but i have one question for you. I set up LDAP using devstack, how i can i check the entries?

edit flag offensive delete link more


To verify the LDAP entries: ldapsearch -x -b 'dc=<your-domain>,dc=<org>' '(objectclass=*)'

Sahana gravatar imageSahana ( 2016-08-30 06:50:55 -0500 )edit

answered 2014-03-05 20:27:32 -0500

9lives gravatar image

Hello there, recently i just happened to setup the keystone with ldap and I can use keystone client to create roles in ldap instead of MySQL db.

Have u tried to create the role using keystone client? And did u set the assignment to ldap as well?

Hope that helps!


edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-11-20 06:56:39 -0500

Seen: 693 times

Last updated: Mar 05 '14