openstack/openstack-manuals
Code Issues Proposed changes
27f65ed45d
openstack-manuals/doc/common/section_keystone_config_ldap-assignments.xml
darrenchan f278f72e1e Added information on configuring keystone for multiple LDAP servers 
Updated content to include:
1. Configuring keystone for multiple back ends using domain-specific configuration files
2. Configuring Assignments for multiple LDAP backends
Change-Id: Ib0705e90da4f0a4bafd493883545d36fa737bc3e
backport: juno
Closes-Bug: #1386768
2015-02-09 23:43:22 +11:00

61 lines
3.1 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="configuring-keystone-for-ldap-backend-assignments">
<title>Separate role authorization and user authentication</title>
<para>When you configure the Identity service to use LDAP back
ends, you can split authentication and authorization using the
<emphasis>Assignments</emphasis> feature.</para>
<para>The Assignments feature enables administrators to manage
project role authorization using the Identity service SQL
database, while still providing user authentication through the
LDAP directory.</para>
<para>To configure this:</para>
<procedure>
<title>Separating role authorization and user authentication
through Assignments</title>
<para>Modify the <filename>/etc/keystone/keystone.conf</filename>
configuration file for a single LDAP server, or
<filename>etc/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
files for multiple LDAP back ends, performing the following actions:</para>
<step>
<para>Configure the Identity service to authenticate users
through the LDAP driver. In the <literal>[identity]</literal> section, set
the <literal>driver</literal> configuration key to
<literal>keystone.identity.backends.ldap.Identity</literal>:
</para>
<programlisting>[identity]
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step><para>Enable the Assignment driver. In the
<literal>[assignment]</literal> section, set the <literal>driver</literal>
configuration key to <literal>keystone.assignment.backends.sql.Assignment</literal>:
</para>
<programlisting>[assignment]
driver = keystone.assignment.backends.sql.Assignment</programlisting>
</step>
</procedure>
<para os="rhel;centos;fedora;opensuse;sles">On
distributions that include
<application>openstack-config</application>, you can
configure both drivers by running the following commands.</para>
<itemizedlist>
<listitem>
<para>For a single LDAP server:</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
identity driver keystone.identity.backends.ldap.Identity</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen>
</listitem>
<listitem>
<para>For multiple LDAP back ends:</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
identity driver keystone.identity.backends.ldap.Identity</userinput>
<prompt>#</prompt> <userinput>openstack-config --set etc/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf \
assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen>
</listitem>
</itemizedlist>
</section>
View Git Blame Copy Permalink