![]() ![]() ![]() ![]() If this command is not available, check that you have enabled keystone v3 for your command line session by running # source overcloudrc-v3. Perform this procedure on each OpenStack node running the keystone service: For example: sudo systemctl restart tripleo_keystone Nova: /var/lib/config-data/puppet-generated/nova/etc/nova/nfĪny changes will then be applied once you restart the service. Keystone: /var/lib/config-data/puppet-generated/keystone/etc/keystone/nfĬinder: /var/lib/config-data/puppet-generated/cinder/etc/cinder/nf These are stored within /var/lib/config-data/puppet-generated/ Instead, if you need to add any changes to containerized services, you will need to update the configuration file that is used to generate the container. This is because any changes are lost once you restart the container. This is because the containerized service does not reference this file.ĭo not update the configuration file running within the container. Send this value to the OpenStack administrators.ĭo not update any configuration file you might find on the physical node’s host operating system, for example, /etc/cinder/nf. PS C:\> Get-ADDomain | select NetBIOSName Send this file to the OpenStack administrators. PS C:\> ADD-ADGroupMember "grp-openstack" -members "svc-ldap"įrom an AD Domain Controller, use a Certificates MMC to export your LDAPS certificate’s public key (not the private key) as a DER-encoded x509. PS C:\> NEW-ADGroup -name "grp-openstack-admin" -groupscope Global -path "OU=labUsers,DC=lab,DC=local"Īdd the svc-ldap user to the grp-openstack group: PS C:\> NEW-ADGroup -name "grp-openstack-demo" -groupscope Global -path "OU=labUsers,DC=lab,DC=local" PS C:\> NEW-ADGroup -name "grp-openstack" -groupscope Global -path "OU=labUsers,DC=lab,DC=local" PS C:\> Set-ADAccountPassword svc-ldap -PassThru | Enable-ADAccountĬreate a group for OpenStack users, called grp-openstack. ![]() You will be prompted to specify a password that complies with your AD domain’s complexity requirements: Set a password for this account, and then enable it. PS C:\> New-ADUser -SamAccountName svc-ldap -Name "svc-ldap" -GivenName LDAP -Surname Lookups -UserPrincipalName -Enabled $false -PasswordNeverExpires $true -Path 'OU=labUsers,DC=lab,DC=local' This account is used by Identity Service to query the AD DS LDAP service: The OpenStack administrators will use this name for the Keystone domain, allowing consistent domain naming between the environments.įor example, the procedure below shows the PowerShell commands that would be run on the Active Directory Domain Controller:Ĭreate the LDAP lookup account. Retrieve the NetBIOS name of your AD DS domain. The OpenStack administrators will use this key to encrypt LDAPS communications between OpenStack and Active Directory. Send the key to the OpenStack administrators. The service account svc-ldap must be a member of the grp-openstack group.Įxport the public key (not the private key) in the following format: DER-encoded x509. For example, grp-openstack-demo and grp-openstack-admin. Members of this group can be granted access to Projects in the dashboard, if they are also members of the Project groups.Įach OpenStack Project will require a corresponding AD group. This can be named according to your naming convention for user groups, for example: grp-openstack. If a user needs access to OpenStack, they must be a member of this group. Administrator privileges are not required. This can be a regular domain user account. This can be named according to your naming convention for service accounts, for example: svc-ldap. Using domain-specific LDAP backends with director Install and configure novajoin in the overcloud Install and configure novajoin in the undercloud Allow IdM group members to access Projects Allow Active Directory users to access Projects Allow Active Directory group members to access Projects Configure Active Directory Domain Services ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |