Re: [openstack-dev] [kolla] Domains support

[Christian Tardif]

Will sure give it a try ! And from a kolla perspective, it means that 
this file should go in /etc/kolla/config/domains/keystone.$DOMAIN.conf 
in order to be pushed to the relevant containers ?
--------------------------------------------------------------------------------
Christian Tardif
christian.tar...@servinfo.ca
SVP, pensez à l’environnement avant d’imprimer ce message.




------ Message d'origine ------
De: "Dave Walker" <em...@daviey.com>
À: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org>
Envoyé : 2017-02-01 11:39:15
Objet : Re: [openstack-dev] [kolla] Domains support

Hi Christian,

I added the domain support, but I didn't document it as well as I 
should have. Apologies!

This is the config I am using to talk to a windows AD server.  Hope 
this helps.

create a domain specific file:
etc/keystone/domains/keystone.$DOMAIN.conf:

[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60
url = ldap://server1:389,ldap://server2:389
user = CN=Linux SSSD Kerberos Service 
Account,CN=Users,DC=example,DC=com
password                 = password
suffix                   = dc=example,dc=com
user_tree_dn             = 
OU=Personnel,OU=Users,OU=example,DC=example,DC=com
user_objectclass         = person
user_filter              = (memberOf=CN=mail,OU=GPO 
Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
user_id_attribute        = sAMAccountName
user_name_attribute      = sAMAccountName
user_description_attribute = displayName
user_mail_attribute      = mail
user_pass_attribute      =
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    = password,tenant_id,tenants
group_tree_dn            = OU=GPO 
Security,OU=Groups,OU=COMPANY,DC=example,DC=com
group_name_attribute     = name
group_id_attribute       = cn
group_objectclass        = group
group_member_attribute   = member

[identity]
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

--
Kind Regards,
Dave Walker

On 1 February 2017 at 05:03, Christian Tardif 
<christian.tar...@servinfo.ca> wrote:
Hi,

I'm looking for domains support in Kolla. I've searched, but didn't 
find anything relevant. Could someone point me how to achieve this?

What I'm really looking for, in fact, is a decent way or setting auth 
through LDAP backend while keeping service users (neutron, for 
example) in the SQL backend. I know that this can be achieved with 
domains support (leaving default domain on SQL, and another domain for 
LDAP users. Or maybe there's another of doing this?

Thanks,
--------------------------------------------------------------------------------
Christian Tardif
christian.tar...@servinfo.ca


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev