Provision Samba AD domain with Fuel plugin
Currently, Fuel cannot provision Samba Active Directory (AD LDAP database, Kerberos realm) and switch Keystone to use it.
Enterprise customers would like to integrate OpenStack with their enterprise wide Active Directory environment in more 'native' way.
This scenario has the following advantages over 'classical' LDAP only approaches:
- allows securely integrate with AD domains while preserving read/write capability for Keystone
- allows management of users from within OpenStack as well as from Microsoft AD native tools
- allows optionally to use Kerberos for authentication and utilize Kerberos advantages: Single Sign On for improved user experience and security (no need to store clean text passwords in RC files)
Keystone+Samba AD connectivity with enterprise wide AD implementation could be preserved by utilizing Kerberos trust mechanism.
Establishing of Kerberos trusts between Keystone+Samba AD and enterprise wide AD is out of scope (although easily achievable as a post-deployment configuration option).
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Adam Heczko
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by