PDA

View Full Version : Keystone and Active Directory



tabaraho
05-Jan-2015, 16:52
I'm struggling trying to configure Keystone with AD support. Since the documentation of suse-cloud 4 is very short I ask here for advice.
I already tried to edit the configuration in Crowbar/Keystone and deployed it without success. My goal is to setup a read-only AD for Keystone.

"identity": {
"driver": "keystone.identity.backends.ldap.Identity"

"assignment": {
"driver": "keystone.assignment.backends.sql.Assignment"

In the LDAP section I edit everything that it seems to be needed. But after applying the changes I get an error starting with

Failed to talk to keystone in add_user
...


Is there further documentation from the side of SUSE? Could you please provide some advice?

Cheers

rhafer
08-Jan-2015, 16:23
I'm struggling trying to configure Keystone with AD support. Since the documentation of suse-cloud 4 is very short I ask here for advice.
I already tried to edit the configuration in Crowbar/Keystone and deployed it without success. My goal is to setup a read-only AD for Keystone.

For read-only LDAP/AD access it's probably best to use the keystone hybrid backend. Crowbar currently expects to be able to create/modify some users in keystone. Those are mainly the default "admin" and "crowbar" users plus some service specific users for the various openstack services. The hybrid backend solves that by storing those users in the SQL database while taking all other users from the LDAP/AD database. We released that backend recently for Cloud 4 as part of a maintenance update for the keystone packages. So make sure to have the latest updates installed.




"identity": {
"driver": "keystone.identity.backends.ldap.Identity"

"assignment": {
"driver": "keystone.assignment.backends.sql.Assignment"

For the hybrid backend please set the drivers to: "keystone.identity.backends.hybrid.Identity" and "keystone.assignment.backends.hybrid.Assignment". Configure the rest of the LDAP options as "normal".



[..]
Is there further documentation from the side of SUSE? Could you please provide some advice?


more information on the hybrid backend can be found here: https://github.com/SUSE-Cloud/keystone-hybrid-backend
An update of the respective chapter of the deployment guide is also planned AFAIK.

regards,

Ralf

tabaraho
26-Mar-2015, 13:22
For read-only LDAP/AD access it's probably best to use the keystone hybrid backend. Crowbar currently expects to be able to create/modify some users in keystone. Those are mainly the default "admin" and "crowbar" users plus some service specific users for the various openstack services. The hybrid backend solves that by storing those users in the SQL database while taking all other users from the LDAP/AD database. We released that backend recently for Cloud 4 as part of a maintenance update for the keystone packages. So make sure to have the latest updates installed.


For the hybrid backend please set the drivers to: "keystone.identity.backends.hybrid.Identity" and "keystone.assignment.backends.hybrid.Assignment". Configure the rest of the LDAP options as "normal".



more information on the hybrid backend can be found here: https://github.com/SUSE-Cloud/keystone-hybrid-backend
An update of the respective chapter of the deployment guide is also planned AFAIK.

regards,

Ralf


Hi Ralf,

Thank you for the advice. I did accomplished to connect to the AD following the both the github guide and the official Suse Doc. With the "keystone user-list" command I can retrieve the list of AD users. But Im not able any more to login as Admin. I get this error in the keystone.log

WARNING keystone.common.wsgi [-] Could not find project, demo.

Before I try to enable AD users in Suse Cloud I would like to find out what the problem is. Do you have an idea?

Cheers