How to manage Roles, Projects via LDAP and devstack?

asked 2013-11-20 06:56:39 -0600

Romain gravatar image

updated 2013-11-20 13:27:13 -0600

smaffulli gravatar image

Hello, I've installed an openstack development environment thanks to devstack and I wanted to use LDAP with it. To do that, I've added these lines in my localrc file:

enable_service ldap
KEYSTONE_CLEAR_LDAP=yes
KEYSTONE_IDENTITY_BACKEND=ldap

In my keystone.conf, I have the pleasure to see these settings:

[identity]
driver = keystone.identity.backends.ldap.Identity
[ldap]
user_tree_dn = ou=Users,dc=openstack,dc=org
user_domain_id_attribute = businessCategory
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
tenant_desc_attribute = description
tenant_domain_id_attribute = businessCategory
tenant_attribute_ignore = enabled
user_attribute_ignore = enabled,email,tenants,default_project_id
use_dumb_member = True
suffix = dc=openstack,dc=org
user = dc=Manager,dc=openstack,dc=org
password = pass

I can see the different entries: Projects, Roles, Users, UserGroups.

Adding an user via horizon adds an entry in Users. However, adding Roles or Projects add entries in the sql database.

Does devstack support LDAP for all the four features or is my configuration file wrong ?

edit retag flag offensive close merge delete

Comments

Check the "assignment" driver and see if it's using SQL for the driver. If so then you can comment it out and it should use ldap for both. You probably don't want to use LDAP for both if you have AD, it's a more complex setup. It's "easier" to use sql for roles/projects.

mpetason gravatar imagempetason ( 2014-04-30 20:36:57 -0600 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-12-04 06:03:16 -0600

Hi, I don't know how to answer your question, but i have one question for you. I set up LDAP using devstack, how i can i check the entries?

edit flag offensive delete link more

Comments

To verify the LDAP entries: ldapsearch -x -b 'dc=<your-domain>,dc=<org>' '(objectclass=*)'

Sahana gravatar imageSahana ( 2016-08-30 06:50:55 -0600 )edit
0

answered 2014-03-05 20:27:32 -0600

9lives gravatar image

Hello there, recently i just happened to setup the keystone with ldap and I can use keystone client to create roles in ldap instead of MySQL db.

Have u tried to create the role using keystone client? And did u set the assignment to ldap as well?

Hope that helps!

Vic

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2013-11-20 06:56:39 -0600

Seen: 685 times

Last updated: Mar 05 '14