How to Integrate Keystone with AD (Active Directory) and let all users in AD can use the services of OpenStack on dashboard?
Hi All,
We're trying to integrate Keystone with AD (Active Direcotry).
What we want to achieve is to let all users in AD to login Horizon, and use all services of OpenStack on their own.
We now have a test AD server and the setting is reference to: https:/
After we configured the AD Server and keystone.conf, we can now use keystone commands to get the user lists, role lists, and tenant lists from AD Server.
But when I want to login with the AD user on Horizon, it shows "Unable to authenticate to any available projects."
Does anybody has experience doing this?
My keystone.conf is as below:
-------
[DEFAULT]
admin_token = admin
log_file = keystone.log
log_dir = /var/log/keystone
log_config = /etc/keystone/
[sql]
connection = mysql:/
[identity]
driver = keystone.
[catalog]
driver = keystone.
[token]
driver = keystone.
[policy]
driver = keystone.
[ec2]
driver = keystone.
[ldap]
url = ldap://
user = cn=bill_
password = *******
suffix = cn=npt,cn=sd1
use_dumb_member = True
user_tree_dn = cn=Users,
user_objectclass = top
user_id_attribute = cn
user_name_attribute = cn
dumb_member = cn=bill_
tenant_tree_dn = ou=Tenants,
tenant_objectclass = top
role_tree_dn = ou=Roles,
role_objectclass = top
role_id_attribute = cn
role_member_
[filter:debug]
paste.filter_
[filter:token_auth]
paste.filter_
[filter:
paste.filter_
[filter:xml_body]
paste.filter_
[filter:json_body]
paste.filter_
[filter:
paste.filter_
[filter:
paste.filter_
[filter:
paste.filter_
[filter:
paste.filter_
[filter:
paste.filter_
[filter:
paste.filter_
[filter:
paste.filter_
[app:public_
paste.app_factory = keystone.
[app:admin_service]
paste.app_factory = keystone.
[pipeline:
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
[pipeline:
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
[app:public_
paste.app_factory = keystone.
[app:admin_
paste.app_factory = keystone.
[pipeline:
pipeline = stats_monitoring url_normalize xml_body public_
[pipeline:
pipeline = stats_monitoring url_normalize xml_body admin_version_
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/ = admin_version_api
-------
After configuration on AD Server and keystone.conf, we can now use keystone commands to get the user lists, role lists, and tenant lists from AD Server like below:
# keystone --debug --token admin --endpoint http://
+------
| id | name | enabled | email |
+------
| Administrator | Administrator | | |
| Allowed RODC Password Replication Group | Allowed RODC Password Replication Group | | |
| Cert Publishers | Cert Publishers | | |
| Denied RODC Password Replication Group | Denied RODC Password Replication Group | | |
| DnsAdmins | DnsAdmins | | |
| DnsUpdateProxy | DnsUpdateProxy | | |
| Domain Admins | Domain Admins | | |
| Domain Computers | Domain Computers | | |
| Domain Controllers | Domain Controllers | | |
| Domain Guests | Domain Guests | | |
| Domain Users | Domain Users | | |
| Enterprise Admins | Enterprise Admins | | |
| Enterprise Read-only Domain Controllers | Enterprise Read-only Domain Controllers | | |
| Group Policy Creator Owners | Group Policy Creator Owners | | |
| Guest | Guest | | |
| RAS and IAS Servers | RAS and IAS Servers | | |
| Read-only Domain Controllers | Read-only Domain Controllers | | |
| Schema Admins | Schema Admins | | |
| bill_chen | bill_chen | | |
| danny kuo | danny kuo | | |
| frank_wu | frank_wu | | |
| glance | glance | | |
| keystone | keystone | | |
| krbtgt | krbtgt | | |
| nova | nova | | |
+------
keystone --debug --token admin --endpoint http://
+------
| id | name |
+------
| AdminRole | AdminRole |
| MemberRole | MemberRole |
| admin | admin |
+------
keystone --debug --token admin --endpoint http://
+------
| id | name | enabled |
+------
| DemoTenant | | True |
+------
Question information
- Language:
- English Edit question
- Status:
- Answered
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask Bill Chen for more information if necessary.