openstack/openstack-ansible
Code Issues Proposed changes
openstack-ansible/doc/source/install-guide/configure-keystone.rst
Jesse Pretorius 54808a7802 Implement multi-domain LDAP configuration for Keystone 
This patch changes the keystone_ldap configuration to allow multiple
LDAP identity back-end configurations to be implemented.

Example implementation in user_variables.yml:

keystone_ldap:
  Users:
    url: "ldap://10.10.10.10"
    user: "root"
    password: "secrete"
    ...
  Admins:
    url: "ldap://20.20.20.20"
    user: "root"
    password: "secrete"
    ...

This will place two configuration files into /etc/keystone/domains/,
both of which will be configured to use the LDAP driver.

 - keystone.Users.conf
 - keystone.Admins.conf

Each first level key entry is a domain name. Each entry below that
are key-value pairs for the 'ldap' section in the configuration
file.

Note that the reason why only LDAP is catered for is due to the fact
that LDAP is the only supported driver in OpenStack for
Domain-specific configuration files.

Also the reason that only the identity back-end is catered for is that
the LDAP driver for the role, resource and assignment back-ends have
been deprecated and are scheduled for removal in Mitaka.

UpgradeImpact:

- keystone_ldap's first key tier is now the domain name.
  An existing keystone_ldap configuration entry can be converted by
  renaming the 'ldap' key to the domain name 'Default'.
  **Note** that the domain name entry is case-sensitive.

- keystone_ldap_identity_driver has been removed, as the driver
  for ldap is now simply 'ldap' and there are no other back-end
  options for Keystone at this time.

Change-Id: Ifa4c42f7dbcc40a256a3156f74f0150384f9ab87
2016-01-26 13:08:57 +00:00

2.2 KiB
Raw Blame History

Home OpenStack-Ansible Installation Guide

Configuring Keystone (optional)

Customizing the Keystone deployment is done within /etc/openstack_deploy/user_variables.yml.

Securing Keystone communication with SSL certificates

The OpenStack-Ansible project provides the ability to secure Keystone communications with self-signed or user-provided SSL certificates.

Refer to Securing services with SSL certificates for available configuration options.

Implementing LDAP (or AD) Back-Ends

In many environments there may already be a LDAP (or Active Directory) service available which already has Users, Groups and User-Group assignment data. Keystone can be configured to make use of the LDAP service using Domain-specific Back-End configuration.

While it is possible to set the Keystone Identity Back-End to use LDAP for the Default domain, this is not recommended. It is a better practice to use the Default domain for service accounts and to configure additional Domains for LDAP services which provide general User/Group data.

Example implementation in user_variables.yml:

keystone_ldap:
Users:

url: "ldap://10.10.10.10" user: "root" password: "secrete" ...

Admins:

url: "ldap://20.20.20.20" user: "root" password: "secrete" ...

This will place two configuration files into /etc/keystone/domains/, both of which will be configured to use the LDAP driver.

  • keystone.Users.conf
  • keystone.Admins.conf

Each first level key entry is a domain name. Each entry below that are key-value pairs for the 'ldap' section in the configuration file.

More details regarding valid configuration for the LDAP Identity Back-End can be found in the Keystone Developer Documentation and the OpenStack Admin Guide.