OK great !!!
Now, I have a working LDAP setup! Thanks for your help.
Now, about the modifications done to Horizon's config file (in fact, in
local_settings), I had to perform these changes through the
local_settings.j2 template file. Is this the place where modifications
go or is there any place in the kolla's override config directory where
I could set that ?
--------------------------------------------------------------------------------
Christian Tardif
------ Message d'origine ------
De: "Gema Gomez" <g...@ggomez.me>
À: openstack-dev@lists.openstack.org
Envoyé : 2017-02-02 14:10:51
Objet : Re: [openstack-dev] [kolla] Domains support
Hi,
we've done this last week at Linaro. I have documented the process in a
blog post that is a walkthrough of a post by Steve Martinelli[1] from
the keystone team:
http://thetestingcorner.com/2017/01/30/ldap-authentication-for-openstack/
At the bottom of it there is a gerrit review with a patch to our
ansible
playbooks that adds support for LDAP authentication. We kept the
default
domain for services accounts and any other that needs to be managed
outside LDAP and then we have the LDAP domain for the actual end users.
Happy to review any patches or help with whichever one you are
producing.
Hope that helps,
Gema
[1]
https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/
On 02/02/17 16:07, Dave Walker wrote:
Try /etc/kolla/config/keystone/domains/keystone.$DOMAIN.conf
Thanks
On 2 February 2017 at 00:20, Christian Tardif
<christian.tar...@servinfo.ca <mailto:christian.tar...@servinfo.ca>>
wrote:
Will sure give it a try ! And from a kolla perspective, it means
that this file should go in
/etc/kolla/config/domains/keystone.$DOMAIN.conf in order to be
pushed to the relevant containers ?
------------------------------------------------------------------------
*Christian Tardif
*christian.tar...@servinfo.ca
<mailto:christian.tar...@servinfo.ca>
SVP, pensez � l�environnement avant d�imprimer ce message.
------ Message d'origine ------
De: "Dave Walker" <em...@daviey.com <mailto:em...@daviey.com>>
�: "OpenStack Development Mailing List (not for usage
questions)"
<openstack-dev@lists.openstack.org
<mailto:openstack-dev@lists.openstack.org>>
Envoy� : 2017-02-01 11:39:15
Objet : Re: [openstack-dev] [kolla] Domains support
Hi Christian,
I added the domain support, but I didn't document it as well as
I
should have. Apologies!
This is the config I am using to talk to a windows AD server.
Hope this helps.
create a domain specific file:
etc/keystone/domains/keystone.$DOMAIN.conf:
[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60
url = ldap://server1:389,ldap://server2:389
user = CN=Linux SSSD Kerberos Service
Account,CN=Users,DC=example,DC=com
password = password
suffix = dc=example,dc=com
user_tree_dn =
OU=Personnel,OU=Users,OU=example,DC=example,DC=com
user_objectclass = person
user_filter = (memberOf=CN=mail,OU=GPO
Security,OU=Groups,OU=COMPANY,DC=example,DC=com)
user_id_attribute = sAMAccountName
user_name_attribute = sAMAccountName
user_description_attribute = displayName
user_mail_attribute = mail
user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
group_tree_dn = OU=GPO
Security,OU=Groups,OU=COMPANY,DC=example,DC=com
group_name_attribute = name
group_id_attribute = cn
group_objectclass = group
group_member_attribute = member
[identity]
driver = keystone.identity.backends.ldap.Identity
[assignment]
driver = keystone.assignment.backends.sql.Assignment
--
Kind Regards,
Dave Walker
On 1 February 2017 at 05:03, Christian Tardif
<christian.tar...@servinfo.ca
<mailto:christian.tar...@servinfo.ca>> wrote:
Hi,
I'm looking for domains support in Kolla. I've searched, but
didn't find anything relevant. Could someone point me how to
achieve this?
What I'm really looking for, in fact, is a decent way or
setting auth through LDAP backend while keeping service
users
(neutron, for example) in the SQL backend. I know that this
can be achieved with domains support (leaving default domain
on SQL, and another domain for LDAP users. Or maybe there's
another of doing this?
Thanks,
------------------------------------------------------------------------
*Christian Tardif
*christian.tar...@servinfo.ca
<mailto:christian.tar...@servinfo.ca>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
