How to configure multiple domains?¶
Configuring Keystone¶
Add the following options to
/etc/keystone/keystone.conf
:[identity] driver = keystone.identity.backends.sql.Identity domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains
Create directory
/etc/keystone/domains
:mkdir /etc/keystone/domains
Create config file named keystone .DOMAIN_NAME.conf, where DOMAIN_NAME is name of domain to OpenStack. For example, if the domain is going to be named “ACME”, then:
> /etc/keystone/domains/keystone.ACME.conf
Specify the following parameters in the configuration:
[identity] driver = keystone.identity.backends.ldap.Identity [ldap] url = ldap://LDAP_IP user = cn=admin,cn=Users,dc=example,dc=com password = openstack suffix = dc=example,dc=com use_dumb_member = False allow_subtree_delete = False user_tree_dn = cn=Users,dc=example,dc=com user_objectclass = InetOrgPerson group_tree_dn = cn=Groups,dc=example,dc=com group_objectclass = groupOfNames user_allow_create = False user_allow_update = False user_allow_delete = False group_allow_create = False group_allow_update = False group_allow_delete = False
In Active Directory and Samba 4 other objectclasses are used for user and group:
[ldap] ... user_objectclass = person group_objectclass = group
Note
An example of setting up integration with Active Directory (AD) can be found here.
Specify mapping of LDAP attributes and Keystone data types:
user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_pass_attribute = userPassword group_id_attribute = cn group_name_attribute = cn group_member_attribute = group_desc_attribute = description group_filter =
Restart the web server service:
systemctl restart apache2
Restart keystone service:
systemctl restart keystone
Setting Keystone Data¶
Configure environment for login to OpenStack:
source admin-openrc
Create domain ACME:
openstack domain create ACME
Try to get a list of users of domain ACME:
openstack user list --domain ACME +------------------------------------------------------------------+----------------+ | ID | Name | +------------------------------------------------------------------+----------------+ | ae7a1e0c022ab806247cb9dc69bd1bd0f157f9d87161e5e20f64f554e418cb8d | admin | | 2b19a3543055bab1443e52385facaf652462199c346731c667f226396c7ba6a1 | Guest | +------------------------------------------------------------------+----------------+
Create project admin in domain ACME:
openstack project create --domain ACME admin
Add an admin user with administrative rights to the project admin in domain ACME:
openstack role add --user-domain ACME --project-domain ACME --project admin --user admin admin
Give administrator rights to the admin user on domain ACME:
openstack role add --user-domain ACME --user admin --domain ACME admin
Try signing in to the cloud through the web interface using these credentials.