Ask Your Question
0

How do I combine Active Directory and SQL authentication for Keystone?

asked 2013-12-10 09:44:14 -0500

mismith gravatar image

updated 2013-12-14 10:25:30 -0500

nickchase gravatar image

One of the features touted when Havana was released was the following:

"For example, you can now tie login information to your corporate LDAP (or Active Directory) server, while having role and group management handled on the OpenStack SQL server. "

However, I haven't been able find any documentation on combining AD authentication with SQL-based role and group management in Keystone.

Has anyone implemented this that is willing to share how this is done please?

edit retag flag offensive close delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-02-27 04:17:42 -0500

gabriel_staicu gravatar image

I encountered a variation of this problem: read-only ldap, so the internal users of openstack (nova, cinder,..etc) could not be created in ldap. They should be authenticated from sql. The solution was provided by Ionut Artarisi from Suse. He created a hybrid authentication. Here is the link:https://github.com/SUSE-Cloud/keystone-hybrid-backend

edit flag offensive delete publish link more
0

answered 2014-02-20 03:26:35 -0500

Assignments:

  • Projects
  • Roles
  • Role Assignments
  • Domains

Identity:

  • Users
  • Groups
  • Group Assignments

To have separate backends between the two, the following options in keystone.conf would work

[identity]
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

Source: http://adam.younglogic.com/2013/10/read-only-ldap-in-keystone/ (http://adam.younglogic.com/2013/10/re...)

edit flag offensive delete publish link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

Follow
2 followers

Stats

Asked: 2013-12-10 09:44:14 -0500

Seen: 155 times

Last updated: Feb 27