Ask Your Question

How do I combine Active Directory and SQL authentication for Keystone?

asked 2013-12-10 09:44:14 -0600

mismith gravatar image

updated 2013-12-14 10:25:30 -0600

nickchase gravatar image

One of the features touted when Havana was released was the following:

"For example, you can now tie login information to your corporate LDAP (or Active Directory) server, while having role and group management handled on the OpenStack SQL server. "

However, I haven't been able find any documentation on combining AD authentication with SQL-based role and group management in Keystone.

Has anyone implemented this that is willing to share how this is done please?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-02-20 03:26:35 -0600


  • Projects
  • Roles
  • Role Assignments
  • Domains


  • Users
  • Groups
  • Group Assignments

To have separate backends between the two, the following options in keystone.conf would work

driver = keystone.identity.backends.ldap.Identity

driver = keystone.assignment.backends.sql.Assignment

Source: (

edit flag offensive delete link more

answered 2014-02-27 04:17:42 -0600

gabriel_staicu gravatar image

I encountered a variation of this problem: read-only ldap, so the internal users of openstack (nova, cinder,..etc) could not be created in ldap. They should be authenticated from sql. The solution was provided by Ionut Artarisi from Suse. He created a hybrid authentication. Here is the link:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-12-10 09:44:14 -0600

Seen: 810 times

Last updated: Feb 27 '14