[Rdo-list] LDAP configuration

Adam Young ayoung at redhat.com
Tue May 20 03:39:16 UTC 2014

On 05/16/2014 02:13 AM, Kashyap Chamarthy wrote:
> [Adding Adam Young and Robert Crittenden, as they may have some
> suggestions.]
> On Thu, May 15, 2014 at 09:02:56AM -0700, Erich Weiler wrote:
>> I second this request - I'm also extremely interested in plugging
>> keystone into an existing LDAP DIT.  I was hoping that I could use
>> pre-existing accounts in LDAP and maybe just add some attributes or
>> something along those lines for roles, tenants, etc...
>> Is that how it works?

Pretty much:  LDAP should be for Users and Groups, and the rest in SQL.

You do need service users, though, which can be an issue in some 
> I haven't tried LDAP w/ Keystone yet, but here are some references that
> might come in handy:
>   - Configuring Keystone for LDAP backend[1]
>   - LDAP configuration notes for Keystone from Grizzly release[2][3]
>   - Keystone integration w/ FreeIPA project where Tenants, and Roles are managed
> by Keystone
>    [1] http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html
>    [2] http://docs.openstack.org/grizzly/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html
>    [3] http://docs.openstack.org/grizzly/openstack-compute/admin/content/reference-for-ldap-config-options.html
>    [4] http://openstack.redhat.com/Keystone_integration_with_IDM
>>> On May 15, 2014, at 6:54 AM, "Devine, Patrick D."
>>> <PATRICK.D.DEVINE at leidos.com> wrote:
>>> All,
>>> I have deployed the Havana version of Openstack via Foreman. However
>>> now I want to switch Keystone to utilize my LDAP server for
>>> authentication vs MySQL. I have followed the instructions for
>>> configuring the keystone.conf to point at my server but I haven't
>>> seen any documentation on how the LDAP should be populated. For
>>> example do I have to re-create all the user accounts for each
>>> openstack module? I get that I need to have a people, role, and
>>> project set up but there is nothing about what users are needed, how
>>> they relate to the project and roles.
>>> Has anyone got their Openstack working with LDAP and if so what does
>>> you ldap look like?

More information about the dev mailing list