Rich Megginson (richmegginson) wrote,
Rich Megginson

How to configure OpenStack Keystone to use LDAP - part 1 - packstack


The latest versions of packstack now have the ability to set up Keystone to use LDAP as its identity backend. The basic steps for manually configuring Keystone to use an LDAP identity backend are found here: and Packstack allows you to set up all of these parameters.

How to tell if my version of packstack supports Keystone LDAP?

packstack --help should list the option --keystone-identity-backend which takes the values sql (default value) and ldap. There should also be a large number of options in the form of --keystone-ldap-PARAM that allow you to set up all aspects of the Keystone LDAP identity backend.

Configuration with packstack

The first step is to tell packstack that you are using Keystone with an LDAP identity backend. Either use packstack --keystone-identity-backend ldap ...other options... or use CONFIG_KEYSTONE_IDENTITY_BACKEND=ldap in your packstack answer-file. packstack supports all of the configuration parameters listed here: To specify one of those values in packstack:

  • command line - add --keystone-ldap- in front of the parameter: [ldap] ldap_suffix becomes --keystone-ldap-suffix

  • answer-file - convert to all caps, and add CONFIG_KEYSTONE_LDAP_ in front of the parameter name: [ldap] ldap_suffix becomes CONFIG_KEYSTONE_LDAP_SUFFIX

NOTE: Two exceptions to the above rule

  • [ldap] user is --keystone-ldap-user-dn and CONFIG_KEYSTONE_LDAP_USER_DN in packstack

  • [ldap] password is --keystone-ldap-user-password and CONFIG_KEYSTONE_LDAP_USER_PASSWORD in packstack

At a minimum, you will need to specify the url, the user_dn, the password, the suffix, the user_tree_dn, and the group_tree_dn.
Tags: keystone, ldap, openstack, packstack
  • Post a new comment


    default userpic

    Your reply will be screened

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.