I’m struggling trying to configure Keystone with AD support. Since the documentation of suse-cloud 4 is very short I ask here for advice.
I already tried to edit the configuration in Crowbar/Keystone and deployed it without success. My goal is to setup a read-only AD for Keystone.
[QUOTE=tabaraho;25632]I’m struggling trying to configure Keystone with AD support. Since the documentation of suse-cloud 4 is very short I ask here for advice.
I already tried to edit the configuration in Crowbar/Keystone and deployed it without success. My goal is to setup a read-only AD for Keystone. [/QUOTE]
For read-only LDAP/AD access it’s probably best to use the keystone hybrid backend. Crowbar currently expects to be able to create/modify some users in keystone. Those are mainly the default “admin” and “crowbar” users plus some service specific users for the various openstack services. The hybrid backend solves that by storing those users in the SQL database while taking all other users from the LDAP/AD database. We released that backend recently for Cloud 4 as part of a maintenance update for the keystone packages. So make sure to have the latest updates installed.
For the hybrid backend please set the drivers to: “keystone.identity.backends.hybrid.Identity” and “keystone.assignment.backends.hybrid.Assignment”. Configure the rest of the LDAP options as “normal”.
[QUOTE=rhafer;25687]For read-only LDAP/AD access it’s probably best to use the keystone hybrid backend. Crowbar currently expects to be able to create/modify some users in keystone. Those are mainly the default “admin” and “crowbar” users plus some service specific users for the various openstack services. The hybrid backend solves that by storing those users in the SQL database while taking all other users from the LDAP/AD database. We released that backend recently for Cloud 4 as part of a maintenance update for the keystone packages. So make sure to have the latest updates installed.
For the hybrid backend please set the drivers to: “keystone.identity.backends.hybrid.Identity” and “keystone.assignment.backends.hybrid.Assignment”. Configure the rest of the LDAP options as “normal”.
Thank you for the advice. I did accomplished to connect to the AD following the both the github guide and the official Suse Doc. With the “keystone user-list” command I can retrieve the list of AD users. But Im not able any more to login as Admin. I get this error in the keystone.log
WARNING keystone.common.wsgi [-] Could not find project, demo.
Before I try to enable AD users in Suse Cloud I would like to find out what the problem is. Do you have an idea?