How to configure multiple domains?

Content

Configuring Keystone

  1. Add the following options to /etc/keystone/keystone.conf:

    [identity]
driver = keystone.identity.backends.sql.Identity
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

  2. Create directory /etc/keystone/domains:

    mkdir /etc/keystone/domains

  3. Create config file named keystone .DOMAIN_NAME.conf, where DOMAIN_NAME is name of domain to OpenStack. For example, if the domain is going to be named “ACME”, then:

    > /etc/keystone/domains/keystone.ACME.conf

  4. Specify the following parameters in the configuration:

    [identity]
driver = keystone.identity.backends.ldap.Identity

[ldap]
url = ldap://LDAP_IP
user = cn=admin,cn=Users,dc=example,dc=com
password = openstack
suffix = dc=example,dc=com
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = cn=Users,dc=example,dc=com
user_objectclass = InetOrgPerson

group_tree_dn = cn=Groups,dc=example,dc=com
group_objectclass = groupOfNames

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_allow_create = False
group_allow_update = False
group_allow_delete = False

  5. In Active Directory and Samba 4 other objectclasses are used for user and group:

    [ldap]
...
user_objectclass = person
group_objectclass = group

    Note

    An example of setting up integration with Active Directory (AD) can be found here.

  6. Specify mapping of LDAP attributes and Keystone data types:

    user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
user_pass_attribute = userPassword
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute =
group_desc_attribute = description
group_filter =

  7. Restart the web server service:

    systemctl restart apache2

  8. Restart keystone service:

    systemctl restart keystone

Setting Keystone Data

  1. Configure environment for login to OpenStack:

    source admin-openrc

  2. Create domain ACME:

    openstack domain create ACME

  3. Try to get a list of users of domain ACME:

    openstack user list --domain ACME

+------------------------------------------------------------------+----------------+
| ID                                                               | Name           |
+------------------------------------------------------------------+----------------+
| ae7a1e0c022ab806247cb9dc69bd1bd0f157f9d87161e5e20f64f554e418cb8d | admin          |
| 2b19a3543055bab1443e52385facaf652462199c346731c667f226396c7ba6a1 | Guest          |
+------------------------------------------------------------------+----------------+

  4. Create project admin in domain ACME:

    openstack project create --domain ACME admin

  5. Add an admin user with administrative rights to the project admin in domain ACME:

    openstack role add --user-domain ACME --project-domain ACME --project admin --user admin admin

  6. Give administrator rights to the admin user on domain ACME:

    openstack role add --user-domain ACME --user admin --domain ACME admin

  7. Try signing in to the cloud through the web interface using these credentials.