Enabling multi domain setup for keystone and horizon.

  • 7019032
  • 23-May-2017
  • 07-Dec-2017

Environment

SUSE OpenStack Cloud 7

Situation

Enabling multidomain setup

Resolution

Create new domain

Enabling and creating a new domain could be done via ldap.yaml.

Proposals:

Barclamp: keystone

      attributes:
        domain_specific_drivers: true
        domain_specific_config:
          ldap_users:
        ldap:
          url: ldaps://ldap.example.com
          suffix: dc=example,dc=com
          user_tree_dn: ou=accounts,dc=example,dc=com
          user_objectclass: posixAccount
          user_id_attribute: uid
          user_name_attribute: uid
          group_tree_dn: ou=accounts,dc=example,dc=com
          group_objectclass: posixGroup
          group_id_attribute: gidNumber
          group_name_attribute: cn
          group_member_attribute: memberUid
          group_members_are_ids: true
          tls_cacertdir: "/etc/ssl/certs"

Barclamp: horizon

      attributes:
        multi_domain_support: true



To create and commit the barclamp changes:

    crowbar batch build ldap.yaml


To verify this works, it is possible to list domain users as follows:
    openstack user list --domain <ldap_users>

Assign Role to a user in a Domain

The following commands will show all required information:

    openstack domain list
    openstack role list
    openstack user list --domain

    openstack role add \
    --user <user_id> \
    --domain <domain_id> \
    <role>

Assign Role to a group in a project

    openstack role add \
    --group mygroup \
    --group-domain ldap_users \
    --project myproject \
    Member



Additional Information

more information about the ldap settings can be found in the OpenStack documentation
(https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html)

Feedback service temporarily unavailable. For content questions or problems, please contact Support.