When defining the URL for connecting to the LDAP server in the Keystone configuration, looking for a way to specify multiple LDAP servers for redundancy. For example if an AD domain controller were not available, Keystone would try an alternate domain controller. Current version keystone v3 support multiple domain and type, but not multiple servers in same domain. ~~~ [ldap] url = ldaps://addc.lab.local:636 user = CN=svc-ldap,CN=Users,DC=lab,DC=local ~~~ Can we put mutiple server url in a same line? This is supported sssd / samba / many other authentication module. Another question, in case of outage its mentioned in the doc that ~~~~ - The Identity Service will need to be restarted to add the AD DS back end. - The Compute services on all nodes need to be restarted in order to switch over to keystone v3. - Users will be unable to access the dashboard until their accounts have been created in AD DS. To reduce downtime, consider per-staging the AD DS accounts well in advance of this change. or - Users will be unable to access the dashboard until their accounts have been created in IdM. To reduce downtime, consider pre-staging the IdM accounts well in advance of this change. ~~~~ I am not sure if this going to be addressed here or not, if the mutiple url supported in that case do we need reboot Identity Service in case of primary failed?
Came across upstream and seems promising. https://bugs.launchpad.net/keystone/+bug/1500631 ~~~ So I did try comma separated ldap URLs in keystone, which worked as I would expect. It attempts connections with the first host and tries the next if it fails to bind. My simple example using python-ldap where there is no ldap server at localhost, but there is at ldaps.company.com l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636') l.simple_bind_s() (97, [], 1, []) The same works in keystone, so the keystone config help should be updated to show this is actually a supported option. Its very useful for deployers using AD where there is commonly redundancy using many domain controllers behind that one domain. Note: the whitespace-separated list did not work for me, only comma. ~~~
This appears to be working in my osp7 lab with keystone v3 [1]. For example, the first entry in keystone.LAB.conf uses a deliberately incorrect port: ---- url = ldap://idm.lab.local:633,ldaps://idm.lab.local ---- I can see traffic hit port 633 before a successful result is returned: ---- idm.lab.local# tcpdump port 633 -v -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:47:54.602196 IP (tos 0x0, ttl 64, id 15735, offset 0, flags [DF], proto TCP (6), length 60) 192.168.122.41.36841 > idm.lab.local.servstat: Flags [S], cksum 0x75ee (incorrect -> 0xa080), seq 4022766859, win 29200, options [mss 1460,sackOK,TS val 4294815868 ecr 0,nop,wscale 7], length 0 ---- ---- controller# openstack user list --domain LAB +------------------------------------------------------------------+----------+ | ID | Name | +------------------------------------------------------------------+----------+ | 27b518e63fd3fcc722027f1081fa5ba656e38cb193ce8c0af34725ae7473a8f0 | svc-ldap | | a9f7bd2dacbebb4dc3fe10207252fb422c48a27cfaec5aaefaf5588592f898be | uuser1 | +------------------------------------------------------------------+----------+ ---- [1] Setup according to this guide: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#sec-idm
I just tested with master and replica IPA and its working good. here is my conf ~~~~~~~~~~~ [ldap] url = ldaps://ipb.test.com,ldaps://ipa.test.com user = uid=svc-ldap,cn=users,cn=accounts,dc=umuzumu,dc=com user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=umuzumu,dc=com) password = redhat user_tree_dn = cn=users,cn=accounts,dc=umuzumu,dc=com user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False [identity] driver = keystone.identity.backends.ldap.Identity ~~~~~~~~~~~ In case of any failure or first one, it goes to the second one.
Martin has already worked on changes to add this to the documentation. Do we also want to see if we can add a helpful comment or example to the default keystone.conf? That seems like something worth proposing upstream.
Steps are now live on the customer portal: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/integrate-with-identity-service/chapter-1-active-directory-integration#AD-HA
Filed upstream bug to document better.