When you configure the Identity service to use an LDAP back end, you can split authentication and authorization using the Assignments feature.
The Assignments feature enables administrators to manage project role authorization using the Identity service's own SQL database, while still providing user authentication through the LDAP directory.
To configure this:
Procedure 2.2. Separating role authorization and user authentication through Assignments
Configure the Identity service to authenticate users through the LDAP driver. To do so, first find the
[identity]
section in the/etc/keystone/keystone.conf
configuration file. Then, set thedriver
configuration key in that section tokeystone.identity.backends.ldap.Identity
:[identity] driver = keystone.identity.backends.ldap.Identity
Next, enable the Assignment driver. To do so, find the
[assignment]
section in the/etc/keystone/keystone.conf
configuration file. Then, set thedriver
configuration key in that section tokeystone.assignment.backends.sql.Assignment
:[assignment] driver = keystone.assignment.backends.sql.Assignment
On distributions that include openstack-config, you can configure both drivers by running the following commands instead:
# openstack-config --set /etc/keystone/keystone.conf \ identity driver keystone.identity.backends.ldap.Identity # openstack-config --set /etc/keystone/keystone.conf \ assignment driver keystone.assignment.backends.sql.Assignment