Log in

No account? Create an account

Previous Entry | Next Entry


In Part 1 - packstack I talked about how to use packstack to deploy Keystone with an LDAP identity backend. In this part 2 I will describe how to do the same thing with a foreman/staypuft based installer. The basic steps for manually configuring Keystone to use an LDAP identity backend are found here: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider and http://docs.openstack.org/havana/config-reference/content/ch_configuring-openstack-identity.html#configuring-keystone-for-ldap-backend.

How to tell if my version of foreman/staypuft supports Keystone LDAP?

The puppet class quickstack::pacemaker::keystone has been extended with all of the Keystone LDAP parameters listed at http://docs.openstack.org/juno/config-reference/content/keystone-configuration-file.html. Find your quickstack/manifests/pacemaker/keystone.pp file, and see if it has the keystone_identity_backend parameter along with many paramters of the form ldap_*. If so, then your foreman/staypuft has support for Keystone LDAP. It should look like this:
class quickstack::pacemaker::keystone (
$keystone_identity_backend = 'sql',
$ldap_url = '',
$ldap_user = '',


The first thing is to specify to use LDAP as the Keystone identity backend. The puppet class quickstack::pacemaker::keystone has a class parameter name keystone_identity_backend which takes the values sql (default) and ldap. Use "ldap" to use the Keystone LDAP identity backend. All of the configuration parameters listed here are supported: http://docs.openstack.org/juno/config-reference/content/keystone-configuration-file.html. To specify one of those parameters puppet, just put "ldap_" in front of the name. For example: [ldap] url in puppet is ldap_url.

There are two ways to specify the configuration in foreman:

  • Using the UI: foreman allows you to set class parameters in the hostgroups UI. You would set the class parameters of the quickstack::pacemaker::keystone class.

  • Using the command line: All of the parameters can be set in the seeds.rb file. For example:
    params = {
    "verbose" => "true",
    "heat_cfn" => "true",
    "keystone_identity_backend" => "ldap",
    "ldap_url" => "ldap://myhostname:389/",
    ... other ldap parameters ...

At a minimum, you will need to specify the url, the user_dn, the password, the suffix, the user_tree_dn, and the group_tree_dn.