1

Please tell me how deploy OpenStack with Ansible Kolla with LDAP integration.

Andrey
  • 11
  • 1
  • 1
    That depends on your environment. You could take a look at the documentation regarding the integration of LDAP with keystone [here](https://docs.openstack.org/keystone/wallaby/admin/configuration.html#integrate-identity-with-ldap). – BakaKuna Jun 26 '21 at 19:16
  • I have already read this document and tried it. This does not work when deployed via kolla-ansible. I added to file /etc/kolla/config/keystone/keystone.conf `[identity] driver = ldap [ldap] url = ldap://ipa.site.ru user = uid=keystone,cn=users,cn=accounts,dc=site,dc=ru password = mysercetpass ....` And trying to deploy new OpenStask multinode cluster then the error occurs at the task "Creating admin project, user, role, service, and endpoint" https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/keystone/tasks/register.yml#L2 – Andrey Jun 27 '21 at 20:17

1 Answers1

0

I know this is a bit old but was searching for the answer to this as well and ended up solving it.

You will need to create domain-specific configuration for LDAP authentication. This way you leave your default domain and projects alone with their built-in authentication and you will have a separate domain with all your projects that authenticate with LDAP.

Create a custom config file referencing your ${your_domain_name} in /etc/kolla/config/keystone/domains/keystone.${your_domain_name}.conf

Then in that file you set your driver to LDAP and define all your required LDAP configuration parameters as referenced in https://docs.openstack.org/keystone/latest/admin/configuration.html

[identity]
driver=ldap

[ldap]

# Your LDAP config settings go here

That is all you need to configure before deployment. After running the deploy and post-deploy jobs in Kolla, source the /etc/kolla/admin-openrc.sh file to get the admin credentials and create your domain that will authenticate with LDAP via the CLI:

openstack domain create ${your_domain_name}

After restarting the Keystone container, it should now have connected that domain to LDAP which can be confirmed via the CLI:

openstack user list --domain ${your_domain_name}
Josh
  • 41
  • 1
  • 7