Ask Your Question

How to add users from Active Directory/LDAP to an existing Keystone?

asked 2013-12-18 09:35:28 -0500

Y Sertdemir gravatar image

updated 2014-06-09 16:53:49 -0500

smaffulli gravatar image


I am using default keystone installation on Grizzly, I guess it is sql backed. I want to get openstack users to get from Active Directory server with LDAP integration. Can I do it without changing sevice users? I have nova glance etc users, do I need to migrate them to active directory?

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2014-06-07 12:10:31 -0500

updated 2014-06-09 16:51:24 -0500

smaffulli gravatar image

You need to create the service users in LDAP. As of now that is the only way to do it. There are other options which are not that trivial

1) Wait for Juno, where keystone is going to support a backend per domain. So you can have all your service users in SQL and other users in LDAp

2) Write your own middleware and insert in the keystone piple line. Default keystone is configured to use ldap. Your middleware will do user lookup in sql only for service user, for other users keystone ldap driver will do . (ie). If auth fails from configured ldap dirver, check if the user is service user and if so authenticate them using sql backend

edit flag offensive delete link more

answered 2013-12-19 17:09:24 -0500

edit flag offensive delete link more



My main question is that how can I integrate glance, nova, quantum users in the default Keystone to AD backed Keystone? I guess service users will not be able to connect to the keystone; therefore, services will not be available until I create those users in the AD; am I right?

Y Sertdemir gravatar imageY Sertdemir ( 2013-12-20 00:37:57 -0500 )edit

answered 2014-06-07 09:26:38 -0500

mpetason gravatar image

You'll have to add the users in AD if you change the backend for keystone to LDAP. The users need to exist where Keystone is looking for users.

I'd recommend looking into assignment + identity in keystone, it was introduced in Havana. It makes the whole setup process 100 times easier. The most frustrating/difficult part of setting up AD for keystone in Grizzly is getting the roles and tenants configured correctly. You could skip the frustration by using SQL for assignment (Roles, Projects) and LDAP for identity (Users, Groups.) In this case you would still need to add the service users to AD.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-12-18 09:35:28 -0500

Seen: 2,103 times

Last updated: Jun 09 '14