一、keystone LDAP 配置修改
1.在/etc/kolla/config中添加keystone.conf,添加如下几行(/etc/keystone/domains 是容器内的路径,不需要修改):
# cat /etc/kolla/config/keystone.conf
[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains
2.在/etc/kolla/config中添加keystone/domains/keystone.new_domain_name.conf(new_domain_name为AD名称)
# cat /etc/kolla/config/keystone/domains/keystone.new_domain_name.conf
[identity]
driver = ldap
[ldap]
chase_referrals = true
url = ldap://**.**.**.**:389
user = CN=test,DC=vv,DC=com
password = ********
suffix = DC=vv,DC=com
query_scope = sub
user_tree_dn = DC=vv,DC=com
user_objectclass = organizationalPerson
user_id_attribute = sAMAccountName
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_filter = (&(objectClass=user)(cn=*))
user_enabled_attribute = userAccountControl
user_enabled_default = 512
user_enabled_mask = 2
user_enabled_emulation = False
; Read only for user
user_allow_create = False
user_allow_update = False
user_allow_delete = False
; Read only for group
group_allow_create = False
group_allow_update = False
group_allow_delete = False
; open all debug log for ldap driver
debug_level = 4095
page_size = 0
group_members_are_ids = True
debug_level = 4095
use_pool = true
pool_size = 10
pool_connection_timeout = -1
pool_connection_lifetime = 600
use_auth_pool = true
auth_pool_size = 100
auth_pool_connection_lifetime = 600
alias_dereferencing = default
[assignment]
driver = sql
二、修改horizon配置,开启多 Domain 登录 Horizon
复制/etc/kolla/horizon/local_settings到/etc/kolla/config/horizon中,并修改如下三项:(这个文件单独指定修改某一行会把整个文件都覆盖,不知道原因,所以就把整个文件复制过来再修改)
# vi /etc/kolla/horizon/local_settings
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = True
OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
('Default', 'default'),
('TEST', 'test'),
)
三、执行kolla-ansible部署keystone和horizon
# kolla-ansible -i /home/multinode deploy -t keystone,horizon
四、创建项目,添加权限
创建一个新的 Domain,叫 new_domain_name;创建一个新的 Project,叫 test:
# 创建一个新的 domain
openstack domain create new_domain_name
# 查看已有的 domain 列表
openstack domain list
# 创建一个新的 project
openstack project create test --domain new_domain_name
# 查看已有的 project 列表
openstack project list --long
导入 LDAP 已有的 id_mapping,这中间会有大量 id 映射的日志刷屏,导入需要一段时间:
(venv) [root@localhost ~]# docker exec -it keystone bash
(keystone)[root@localhost /]# keystone-manage mapping_populate --domain-name new_domain_name
(keystone)[root@localhost /]# exit
对账户进行授权
# 查看 Role
openstack role list
# 添加 domain 权限
openstack role add --user-domain new_domain_name --user user1 admin --domain new_domain_name
# 添加 project 权限
openstack role add --user-domain new_domain_name --user user1 admin --project test
# 查看 Role 授权情况
openstack role assignment list