Rich Megginson (richmegginson) wrote,
Rich Megginson

How to configure OpenStack Keystone to use LDAP - part 2 - foreman/staypuft


In Part 1 - packstack I talked about how to use packstack to deploy Keystone with an LDAP identity backend. In this part 2 I will describe how to do the same thing with a foreman/staypuft based installer. The basic steps for manually configuring Keystone to use an LDAP identity backend are found here: and

How to tell if my version of foreman/staypuft supports Keystone LDAP?

The puppet class quickstack::pacemaker::keystone has been extended with all of the Keystone LDAP parameters listed at Find your quickstack/manifests/pacemaker/keystone.pp file, and see if it has the keystone_identity_backend parameter along with many paramters of the form ldap_*. If so, then your foreman/staypuft has support for Keystone LDAP. It should look like this:
class quickstack::pacemaker::keystone (
$keystone_identity_backend = 'sql',
$ldap_url = '',
$ldap_user = '',


The first thing is to specify to use LDAP as the Keystone identity backend. The puppet class quickstack::pacemaker::keystone has a class parameter name keystone_identity_backend which takes the values sql (default) and ldap. Use "ldap" to use the Keystone LDAP identity backend. All of the configuration parameters listed here are supported: To specify one of those parameters puppet, just put "ldap_" in front of the name. For example: [ldap] url in puppet is ldap_url.

There are two ways to specify the configuration in foreman:

  • Using the UI: foreman allows you to set class parameters in the hostgroups UI. You would set the class parameters of the quickstack::pacemaker::keystone class.

  • Using the command line: All of the parameters can be set in the seeds.rb file. For example:
    params = {
    "verbose" => "true",
    "heat_cfn" => "true",
    "keystone_identity_backend" => "ldap",
    "ldap_url" => "ldap://myhostname:389/",
    ... other ldap parameters ...

At a minimum, you will need to specify the url, the user_dn, the password, the suffix, the user_tree_dn, and the group_tree_dn.
  • Post a new comment


    default userpic

    Your reply will be screened

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.