Using FreeIPA as an LDAP domain backend for keystone in TripleO
by Juan Antonio Osorio Robles
Configuring FreeIPA to be the backend of a keystone domain is pretty simple
nowadays with recent additions to TripleO.
I took the configuration and several aspects of the setup (such as the users)
from RDO VM Factory and used to to create the following environment
file which we’ll use for TripleO:
We’ll call this freeipa-ldap-config.yaml.
Note that I set a user with uid called keystone. We’ll need to create this on
the FreeIPA side. For convenience, we’ll also create a demo user. So, with your
FreeIPA admin credentials loaded, do the following:
Now, having this, we can do an overcloud install adding the configuration to
When the deployment finishes, for convenience, we’ll assign the admin role for
our admin user. We already have credentials for this user in the generated
overcloudrc file from the deployment. So we’ll source that file, and add the
Note that keystone v3 is needed for this, so we sourced overcloudrc.v3.
Now that we have a role in the FreeIPA-backed domain, we can list its users: