Ask Your Question

How do I combine Active Directory and SQL authentication for Keystone?

asked 2013-12-10 09:44:14 -0500

mismith gravatar image

updated 2013-12-14 10:25:30 -0500

nickchase gravatar image

One of the features touted when Havana was released was the following:

"For example, you can now tie login information to your corporate LDAP (or Active Directory) server, while having role and group management handled on the OpenStack SQL server. "

However, I haven't been able find any documentation on combining AD authentication with SQL-based role and group management in Keystone.

Has anyone implemented this that is willing to share how this is done please?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-02-27 04:17:42 -0500

gabriel_staicu gravatar image

I encountered a variation of this problem: read-only ldap, so the internal users of openstack (nova, cinder,..etc) could not be created in ldap. They should be authenticated from sql. The solution was provided by Ionut Artarisi from Suse. He created a hybrid authentication. Here is the link:

edit flag offensive delete link more

answered 2014-02-20 03:26:35 -0500


  • Projects
  • Roles
  • Role Assignments
  • Domains


  • Users
  • Groups
  • Group Assignments

To have separate backends between the two, the following options in keystone.conf would work

driver = keystone.identity.backends.ldap.Identity

driver = keystone.assignment.backends.sql.Assignment

Source: (

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-12-10 09:44:14 -0500

Seen: 1,484 times

Last updated: Feb 27 '14