2.1 KiB
Home OpenStack-Ansible Installation Guide
Configuring Keystone (optional)
Customizing the Keystone deployment is done within
/etc/openstack_deploy/user_variables.yml.
Securing Keystone communication with SSL certificates
The OpenStack-Ansible project provides the ability to secure Keystone communications with self-signed or user-provided SSL certificates.
Refer to Securing services with SSL certificates for available configuration options.
Special considerations when using LDAP or AD backends
Configuring LDAP or Active Directory (AD) backends for keystone can make deployment easier, but there are special considerations for these types of deployments.
Creating users
During an OpenStack-Ansible deployment, the individual roles that deploy various OpenStack services will attempt to create users in keystone. For deployments where keystone uses LDAP as an authentication backend, these users must be created prior to the running the OpenStack-Ansible playbooks. The tasks for adding keystone users within individual role playbooks will be skipped.
Stacked authentication
Some deployers may prefer to use "stacked" authentication where some users exist in a SQL backend while other users exist in an LDAP or Active Directory (AD) backend. This can be useful for deploys who want to reduce the number of service accounts that must exist in LDAP or AD.
For more details on stacked authentication, see Matt Fischer's blog post or review IBM's documentation titled Configure OpenStack Keystone support for domain-specific corporate directories.