How to configure multiple domains?

Configuring Keystone

  1. Add the following options to /etc/keystone/keystone.conf:

    [identity]
    driver = keystone.identity.backends.sql.Identity
    domain_specific_drivers_enabled = True
    domain_config_dir = /etc/keystone/domains
    
  2. Create directory /etc/keystone/domains:

    mkdir /etc/keystone/domains
    
  3. Create config file named keystone .DOMAIN_NAME.conf, where DOMAIN_NAME is name of domain to OpenStack. For example, if the domain is going to be named “ACME”, then:

    > /etc/keystone/domains/keystone.ACME.conf
    
  4. Specify the following parameters in the configuration:

    [identity]
    driver = keystone.identity.backends.ldap.Identity
    
    [ldap]
    url = ldap://LDAP_IP
    user = cn=admin,cn=Users,dc=example,dc=com
    password = openstack
    suffix = dc=example,dc=com
    use_dumb_member = False
    allow_subtree_delete = False
    
    user_tree_dn = cn=Users,dc=example,dc=com
    user_objectclass = InetOrgPerson
    
    group_tree_dn = cn=Groups,dc=example,dc=com
    group_objectclass = groupOfNames
    
    user_allow_create = False
    user_allow_update = False
    user_allow_delete = False
    
    group_allow_create = False
    group_allow_update = False
    group_allow_delete = False
    
  5. In Active Directory and Samba 4 other objectclasses are used for user and group:

    [ldap]
    ...
    user_objectclass = person
    group_objectclass = group
    

    Note

    An example of setting up integration with Active Directory (AD) can be found here.

  6. Specify mapping of LDAP attributes and Keystone data types:

    user_id_attribute = cn
    user_name_attribute = cn
    user_mail_attribute = mail
    user_pass_attribute = userPassword
    group_id_attribute = cn
    group_name_attribute = cn
    group_member_attribute =
    group_desc_attribute = description
    group_filter =
    
  7. Restart the web server service:

    systemctl restart apache2
    
  8. Restart keystone service:

    systemctl restart keystone
    

Setting Keystone Data

  1. Configure environment for login to OpenStack:

    source admin-openrc
    
  2. Create domain ACME:

    openstack domain create ACME
    
  3. Try to get a list of users of domain ACME:

    openstack user list --domain ACME
    
    +------------------------------------------------------------------+----------------+
    | ID                                                               | Name           |
    +------------------------------------------------------------------+----------------+
    | ae7a1e0c022ab806247cb9dc69bd1bd0f157f9d87161e5e20f64f554e418cb8d | admin          |
    | 2b19a3543055bab1443e52385facaf652462199c346731c667f226396c7ba6a1 | Guest          |
    +------------------------------------------------------------------+----------------+
    
  4. Create project admin in domain ACME:

    openstack project create --domain ACME admin
    
  5. Add an admin user with administrative rights to the project admin in domain ACME:

    openstack role add --user-domain ACME --project-domain ACME --project admin --user admin admin
    
  6. Give administrator rights to the admin user on domain ACME:

    openstack role add --user-domain ACME --user admin --domain ACME admin
    
  7. Try signing in to the cloud through the web interface using these credentials.