Log in

No account? Create an account

Previous Entry | Next Entry


The latest versions of packstack now have the ability to set up Keystone to use LDAP as its identity backend. The basic steps for manually configuring Keystone to use an LDAP identity backend are found here: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider and http://docs.openstack.org/havana/config-reference/content/ch_configuring-openstack-identity.html#configuring-keystone-for-ldap-backend. Packstack allows you to set up all of these parameters.

How to tell if my version of packstack supports Keystone LDAP?

packstack --help should list the option --keystone-identity-backend which takes the values sql (default value) and ldap. There should also be a large number of options in the form of --keystone-ldap-PARAM that allow you to set up all aspects of the Keystone LDAP identity backend.

Configuration with packstack

The first step is to tell packstack that you are using Keystone with an LDAP identity backend. Either use packstack --keystone-identity-backend ldap ...other options... or use CONFIG_KEYSTONE_IDENTITY_BACKEND=ldap in your packstack answer-file. packstack supports all of the configuration parameters listed here: http://docs.openstack.org/juno/config-reference/content/keystone-configuration-file.html. To specify one of those values in packstack:

  • command line - add --keystone-ldap- in front of the parameter: [ldap] ldap_suffix becomes --keystone-ldap-suffix

  • answer-file - convert to all caps, and add CONFIG_KEYSTONE_LDAP_ in front of the parameter name: [ldap] ldap_suffix becomes CONFIG_KEYSTONE_LDAP_SUFFIX

NOTE: Two exceptions to the above rule

  • [ldap] user is --keystone-ldap-user-dn and CONFIG_KEYSTONE_LDAP_USER_DN in packstack

  • [ldap] password is --keystone-ldap-user-password and CONFIG_KEYSTONE_LDAP_USER_PASSWORD in packstack

At a minimum, you will need to specify the url, the user_dn, the password, the suffix, the user_tree_dn, and the group_tree_dn.