By default, the Identity Service component (Keystone) does not return users and groups to the default domain. The following procedure modifies the default configuration to ensure that users with administrative privileges can access and assign LDAP users to roles in OpenStack.
Prerequisites
Verify that you have successfully deployed VMware Integrated OpenStack.
Verify that VMware Integrated OpenStack is running.
Verify that Active Directory is configured as the LDAP backend.
Procedure
- Using SSH, log in to the VMware Integrated OpenStack deployment.
This step varies depending on your mode of deployment.
If your deployment is using compact mode, log into the controller node.
If your deployment is high-availability mode, log into the load balancer node.
- Switch to root user.
sudo su -
- Execute the cloudadmin_v3.rc file.
$ source ~/cloudadmin_v3.rc
- Create the initial project in the default domain in OpenStack.
$ openstack --os-identity-api-version 3 --os-username admin \ --os-user-domain-name local --os-project-name admin --os-password admin \ --os-region-name nova project create --domain default --description "Demo Project" --or-show demoParameter
Description
--os-identity-api-version 3
Specifies the API version, in this case, version 3.
--os-username admin
Provides the administrative username for login, in this case admin.
--os-user-domain-name local
Specifies the domain, in this case local for the specified user.
--os-project-name admin
Specifies the admin OpenStack project.
--os-password admin
Provides the administrative password for login, in this case admin.
--os-region-name nova project create
Runs the nova project create command.
--domain default
This command specifies the domain where the new project is created, in this case the default domain.
--description "Demo Project"
This parameter names the new project, in this case Demo Project.
--or-show demo
Creates an alias for the new project.
- Add an administrative user to the new project in the default domain.
$ openstack --os-identity-api-version 3 --os-username admin \ --os-user-domain-name local --os-project-name admin --os-password admin \ --os-region-name nova role add --project demo --project-domain default \ --user [email protected] --user-domain default adminParameter
Description
--os-identity-api-version 3
Specifies the API version, in this case, version 3.
--os-username admin
Provides the administrative username for login, in this case admin.
--os-user-domain-name local
Specifies the domain, in this case local for the specified user.
--os-project-name admin
Specifies the admin OpenStack project.
--os-password admin
Provides the administrative password for login, in this case admin.
--os-region-name nova role add
Runs the nova role add command.
--project demo
Specifies the project to which the new administrative user is added.
--project-domain default
Specifies the project domain.
--user [email protected]
Specifies the new administrative user.
--user-domain default admin
Assigns the new user to the default admin domain.
Note:If special characters are used for the user ID, you must modify the Keystone settings in the VMware Integrated OpenStack manager.
- (Optional) If special characters are used for the administrative user ID, you must modify the Keystone settings in the VMware Integrated OpenStack manager.
- In the VMware Integrated OpenStack manager in vCenter, go to Manage > Settings > Configure Identity Source.
- Click Edit.
- Under Advanced Settings, modify the User ID value from cn to userPrincipalName.
You can now log in to the default domain in the VMware Integrated OpenStack dashboard using the administrative user name and password.
