What works, and what doesn't? Presented by Jesse Pretorius at OpenStack Manchester Meetup 19 January 2016

1. Keystone with LDAP
What works, and what doesn’t?
Jesse Pretorius aka @odyssey4me
Rackspace Software Developer
OpenStack-Ansible PTL
OpenStack Manchester Meetup
19 Jan 2016

2. Keystone Back-Ends
Identity
The Identity back-end provides the ability for Keystone to access Users, Groups and the
assignment of Users to Groups.
Resource
The Resource back-end (introduced in Kilo) provides the ability for Keystone to access
Projects, Domains and the Assignment of Projects to Domains.
Assignment
The Assignment back-end (introduced in Havana) provides Roles and handles the
assignments between Identities, Resources and Roles.

3. Keystone Identity Back-End
• Drivers
– SQL (only one back-end supported)
– LDAP (many back-ends supported)
– Hybrid SQL/LDAP [1] (SUSE Cloud only, not upstream)
• Domain-specific Back-end Driver Configuration [2]
– Configuration can be in file
• /etc/keystone/domains/keystone.<domain_name>.conf
– Configuration can be in SQL (experimental in Kilo)

4. Keystone Back-Ends (continued…)
• Resource Drivers
– SQL
– LDAP driver deprecated in Liberty, scheduled for removal in Mitaka [3]
• Assignment Drivers
– SQL
– LDAP driver deprecated in Kilo, scheduled for removal in Mitaka [4]

5. Using Multiple Keystone Domains
• The Keystone v3 API is required to use multiple domains
• To use the Keystone v3 API, you have to use the OpenStack CLI
– Keystone CLI has been deprecated in Liberty
– python-keystoneclient is moving towards being a library only
• When multiple domains are present, all Admin queries relating to
Users/Groups have to be scoped to the domain.
– Even for the Default domain, eg:
openstack user list --domain Default

6. Best Practice, in my opinion
• ‘Default’ Domain
– Should use the SQL Driver for its Identity back-end
– Should be used for Service accounts
• Resource & Assignment Back-Ends
– Should use the SQL Driver

7. A practical example
### in /etc/keystone/domains/keystone.Users.conf ###
[identity]
driver = ldap
[ldap]
group_id_attribute = cn
group_name_attribute = cn
group_objectclass = groupOfUniqueNames
group_tree_dn = ou=Groups,dc=example,dc=com
password = secrete
suffix = DC=example,DC=com
url = ldap://aio1_openldap_server_container-b083299d
user = cn=Manager,dc=example,dc=com
user_id_attribute = uid
user_mail_attribute = mail
user_name_attribute = cn
user_tree_dn = ou=People,dc=example,dc=com
### in /etc/keystone/keystone.conf ###
[identity]
driver = sql
domain_config_dir = /etc/keystone/domains
domain_specific_drivers_enabled = True
[resource]
driver = sql
[role]
driver = sql
### execute on the appropriate host ###
# create the domain
openstack domain create Users
# restart the keystone service now
# this is required for the conf file and
# domain association to work
service apache2 restart || service keystone restart
# list the domain users
openstack user list --domain Users

9. References
1. https://github.com/SUSE-Cloud/keystone-hybrid-backend
2. http://docs.openstack.org/developer/keystone/configuration.html#domain-
specific-drivers
3. https://github.com/openstack/keystone/blob/master/keystone/resource/backen
ds/ldap.py#L34-L37
4. https://github.com/openstack/keystone/blob/master/keystone/assignment/back
ends/ldap.py#L34-L35

10. Get Involved in OpenStack-Ansible
• Launchpad Landing Page
– https://launchpad.net/openstack-ansible
• Documentation
– http://docs.openstack.org/developer/openstack-ansible
– http://docs.openstack.org/developer/openstack-ansible/developer-
docs/quickstart-aio.html
• Attend community meetings
– https://wiki.openstack.org/wiki/Meetings/openstack-ansible
• Get help
– Mailing Lists: [openstack-ansible] in subject line
– IRC: #openstack-ansible in Freenode