How do I allow a specific LDAP user to log in OpenStack?
Issue
-
Let a
keystone.conf[ldap] url = ldaps://server01.example.com,ldaps://server02.example.com user = CN=LDAPCLIENT,OU=SERVICE,OU=ADMINS,DC=EXAMPLE,DC=COM password = ************ suffix = DC=EXAMPLE,DC=COM user_tree_dn = DC=EXAMPLE,DC=COM query_scope = sub user_objectclass = person user_filter = (|(memberOf=CN=OPSTACK_ADMIN,OU=GROUPS,DC=EXAMPLE,DC=COM)(memberOf=CN=OPSTACK_USER,OU=GROUPS,DC=EXAMPLE,DC=COM)) user_id_attribute = sAMAccountName user_name_attribute = sAMAccountName user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = False user_allow_update = False user_allow_delete = False group_objectclass = group group_tree_dn = OU=GROUPS,DC=EXAMPLE,DC=COM group_filter = (CN=OPSTACK*) group_id_attribute = cn group_name_attribute = name group_allow_create = False group_allow_update = False group_allow_delete = False use_tls = False tls_cacertfile = /etc/ssl/certs/root-example.com.pem [identity] driver = keystone.identity.backends.ldap.Identity
Usually, in LDAP-backed keystone scenarios, the configurations and filters usually allows and specifies group members to be a OpenStack User.
- How do I allow a specific user that is not part of the specified groups to be a OpenStack user?
Environment
- Red Hat OpenStack Platform 7
- LDAP-based
keystoneback-end
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.