Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 4. Using domain-specific LDAP backends with director

Red Hat OpenStack Platform director can configure keystone to use one or more LDAP backends. This approach results in the creation of a separate LDAP backend for each keystone domain.

4.1. Setting the configuration options
Copiar o link

For deployments using Red Hat OpenStack Platform director, you need to set the KeystoneLDAPDomainEnable flag to true in your heat templates; as a result, this will configure the domain_specific_drivers_enabled option in keystone (within the identity configuration group).

Note

The default directory for domain configuration files is set to /etc/keystone/domains/. You can override this by setting the required path using the keystone::domain_config_directory hiera key and adding it as an ExtraConfig parameter within an environment file.

You must also add a specification of the LDAP backend configuration. This is done using the KeystoneLDAPBackendConfigs parameter in tripleo-heat-templates. You can then specify your required LDAP options. For more information on the available options, see the Configuration Reference Guide.

4.2. Configure the director deployment
Copiar o link

Important

There is currently a known issue with a heat template: the keystone_domain_confg tag is missing from keystone.yaml. For the workaround and further information, see https://bugzilla.redhat.com/show_bug.cgi?id=1519057.

  1. Create a copy of the keystone_domain_specific_ldap_backend.yaml environment file: 

    $ cp /usr/share/openstack-tripleo-heat-templates/environments/services/keystone_domain_specific_ldap_backend.yaml /home/stack/templates/
    Copy to Clipboard Toggle word wrap

  2. Edit the /home/stack/templates/keystone_domain_specific_ldap_backend.yaml environment file and set the values to suit your deployment. For example, these entries create a LDAP configuration for a keystone domain named testdomain: 

        parameter_defaults:
      KeystoneLDAPDomainEnable: true
      KeystoneLDAPBackendConfigs:
        testdomain:
          url: ldaps://192.0.2.250
          user: cn=openstack,ou=Users,dc=director,dc=example,dc=com
          password: RedactedComplexPassword
          suffix: dc=director,dc=example,dc=com
          user_tree_dn: ou=Users,dc=director,dc=example,dc=com
          user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=director,dc=example,dc=com)"
          user_objectclass: person
          user_id_attribute: cn
          user_allow_create: false
          user_allow_update: false
          user_allow_delete: false
    Copy to Clipboard Toggle word wrap

  3. You can also configure the environment file to specify multiple domains. For example: 

        KeystoneLDAPBackendConfigs:
      domain1:
        url: ldaps://domain1.example.com
        user: cn=openstack,ou=Users,dc=director,dc=example,dc=com
        password: RedactedComplexPassword
        ...
      domain2:
        url: ldaps://domain2.example.com
        user: cn=openstack,ou=Users,dc=director,dc=example,dc=com
        password: RedactedComplexPassword
        ...
    Copy to Clipboard Toggle word wrap

    This will result in two domains named domain1 and domain2; each will have a different LDAP domain with its own configuration.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat