Separate role authorization and user authentication

When you configure the Identity service to use an LDAP back end, you can split authentication and authorization using the Assignments feature.

The Assignments feature enables administrators to manage project role authorization using the Identity service's own SQL database, while still providing user authentication through the LDAP directory.

To configure this:

Procedure 2.2. Separating role authorization and user authentication through Assignments

Configure the Identity service to authenticate users through the LDAP driver. To do so, first find the [identity] section in the /etc/keystone/keystone.conf configuration file. Then, set the driver configuration key in that section to keystone.identity.backends.ldap.Identity:
```
[identity]
driver = keystone.identity.backends.ldap.Identity
```
Next, enable the Assignment driver. To do so, find the [assignment] section in the /etc/keystone/keystone.conf configuration file. Then, set the driver configuration key in that section to keystone.assignment.backends.sql.Assignment:
```
[assignment]
driver = keystone.assignment.backends.sql.Assignment
```

On distributions that include openstack-config, you can configure both drivers by running the following commands instead:

# openstack-config --set /etc/keystone/keystone.conf \
identity driver keystone.identity.backends.ldap.Identity
# openstack-config --set /etc/keystone/keystone.conf \
assignment driver keystone.assignment.backends.sql.Assignment

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices