By default, the Identity Service component (Keystone) does not return users and groups to the default domain. The following procedure modifies the default configuration to ensure that users with administrative privileges can access and assign LDAP users to roles in OpenStack.

Prerequisites

  • Verify that you have successfully deployed VMware Integrated OpenStack.

  • Verify that VMware Integrated OpenStack is running.

  • Verify that Active Directory is configured as the LDAP backend.

Procedure

  1. Using SSH, log in to the VMware Integrated OpenStack deployment.

    This step varies depending on your mode of deployment.

    • If your deployment is using compact mode, log into the controller node.

    • If your deployment is high-availability mode, log into the load balancer node.

  2. Switch to root user. 
    sudo su -
  3. Execute the cloudadmin_v3.rc file. 
    $ source ~/cloudadmin_v3.rc
  4. Create the initial project in the default domain in OpenStack. 
    $ openstack --os-identity-api-version 3 --os-username admin \
       --os-user-domain-name local --os-project-name admin --os-password admin \
       --os-region-name nova project create --domain default --description "Demo Project" --or-show demo

    Parameter

    Description

    --os-identity-api-version 3

    Specifies the API version, in this case, version 3.

    --os-username admin

    Provides the administrative username for login, in this case admin.

    --os-user-domain-name local

    Specifies the domain, in this case local for the specified user.

    --os-project-name admin

    Specifies the admin OpenStack project.

    --os-password admin

    Provides the administrative password for login, in this case admin.

    --os-region-name nova project create

    Runs the nova project create command.

    --domain default

    This command specifies the domain where the new project is created, in this case the default domain.

    --description "Demo Project"

    This parameter names the new project, in this case Demo Project.

    --or-show demo

    Creates an alias for the new project.

  5. Add an administrative user to the new project in the default domain. 
    $ openstack --os-identity-api-version 3 --os-username admin \
       --os-user-domain-name local --os-project-name admin --os-password admin \
       --os-region-name nova role add --project demo --project-domain default \
       --user [email protected] --user-domain default admin

    Parameter

    Description

    --os-identity-api-version 3

    Specifies the API version, in this case, version 3.

    --os-username admin

    Provides the administrative username for login, in this case admin.

    --os-user-domain-name local

    Specifies the domain, in this case local for the specified user.

    --os-project-name admin

    Specifies the admin OpenStack project.

    --os-password admin

    Provides the administrative password for login, in this case admin.

    --os-region-name nova role add

    Runs the nova role add command.

    --project demo

    Specifies the project to which the new administrative user is added.

    --project-domain default

    Specifies the project domain.

    --user [email protected]

    Specifies the new administrative user.

    --user-domain default admin

    Assigns the new user to the default admin domain.

    Note:

    If special characters are used for the user ID, you must modify the Keystone settings in the VMware Integrated OpenStack manager.

  6. (Optional) If special characters are used for the administrative user ID, you must modify the Keystone settings in the VMware Integrated OpenStack manager.
    1. In the VMware Integrated OpenStack manager in vCenter, go to Manage > Settings > Configure Identity Source.
    2. Click Edit.
    3. Under Advanced Settings, modify the User ID value from cn to userPrincipalName.

    You can now log in to the default domain in the VMware Integrated OpenStack dashboard using the administrative user name and password.