Enabling multi domain setup for keystone and horizon.
This document (7019032) is provided subject to the disclaimer at the end of this document.
Environment
SUSE OpenStack Cloud 7
Situation
Enabling multidomain setup
Resolution
Create new domain
Enabling and creating a new domain could be done via ldap.yaml.
Proposals:
domain_specific_drivers: true
domain_specific_config:
ldap_users:
ldap:
url: ldaps://ldap.example.com
suffix: dc=example,dc=com
user_tree_dn: ou=accounts,dc=example,dc=com
user_objectclass: posixAccount
user_id_attribute: uid
user_name_attribute: uid
group_tree_dn: ou=accounts,dc=example,dc=com
group_objectclass: posixGroup
group_id_attribute: gidNumber
group_name_attribute: cn
group_member_attribute: memberUid
group_members_are_ids: true
tls_cacertdir: "/etc/ssl/certs"
multi_domain_support: true
To create and commit the barclamp changes:
crowbar batch build ldap.yaml
To verify this works, it is possible to list domain users as follows:
openstack user list --domain <ldap_users>
openstack domain list
openstack role list
openstack user list --domain
openstack role add \
--user <user_id> \
--domain <domain_id> \
<role>
--group mygroup \
--group-domain ldap_users \
--project myproject \
Member
Enabling and creating a new domain could be done via ldap.yaml.
Proposals:
Barclamp: keystone
attributes:domain_specific_drivers: true
domain_specific_config:
ldap_users:
ldap:
url: ldaps://ldap.example.com
suffix: dc=example,dc=com
user_tree_dn: ou=accounts,dc=example,dc=com
user_objectclass: posixAccount
user_id_attribute: uid
user_name_attribute: uid
group_tree_dn: ou=accounts,dc=example,dc=com
group_objectclass: posixGroup
group_id_attribute: gidNumber
group_name_attribute: cn
group_member_attribute: memberUid
group_members_are_ids: true
tls_cacertdir: "/etc/ssl/certs"
Barclamp: horizon
attributes:multi_domain_support: true
To create and commit the barclamp changes:
crowbar batch build ldap.yaml
To verify this works, it is possible to list domain users as follows:
openstack user list --domain <ldap_users>
Assign Role to a user in a Domain
The following commands will show all required information:openstack domain list
openstack role list
openstack user list --domain
openstack role add \
--user <user_id> \
--domain <domain_id> \
<role>
Assign Role to a group in a project
openstack role add \--group mygroup \
--group-domain ldap_users \
--project myproject \
Member
Cause
Additional Information
more information about the ldap settings can be found in the OpenStack documentation
(https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html)
(https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html)
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7019032
- Creation Date: 23-May-2017
- Modified Date:03-Mar-2020
-
- SUSE Open Stack Cloud
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
