From 1ed2046eaa91fa36926d66a5fe1e88ccd65373bb Mon Sep 17 00:00:00 2001 From: Henry Nash Date: Thu, 25 Jul 2013 20:09:45 +0100 Subject: Implement domain specific Identity backends A common scenario in shared clouds will be that a cloud provider will want to be able to offer larger customers the ability to interface to their chosen identity provider. In the base case, this might well be their own corporate LDAP/AD directory. A cloud provider might also want smaller customers to have their identity managed solely within the OpenStack cloud, perhaps in a shared SQL database. This patch allows domain specific backends for identity objects (namely user and groups), which are specified by creation of a domain configuration file for each domain that requires its own backend. A side benefit of this change is that it clearly separates the backends into those that are domain-aware and those that are not, allowing, for example, the removal of domain validation from the LDAP identity backend. Implements bp multiple-ldap-servers DocImpact Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab --- doc/source/configuration.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'doc') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 1c339490..2b802c83 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -96,6 +96,25 @@ order: PasteDeploy configuration file is specified by the ``config_file`` parameter in ``[paste_deploy]`` section of the primary configuration file. If the parameter is not an absolute path, then Keystone looks for it in the same directories as above. If not specified, WSGI pipeline definitions are loaded from the primary configuration file. +Keystone supports the option (disabled by default) to specify identity driver +configurations on a domain by domain basis, allowing, for example, a specific +domain to have its own LDAP or SQL server. This is configured by specifying the +following options:: + + [identity] + domain_specific_drivers_enabled = True + domain_config_dir = /etc/keystone/domains + +Setting ``domain_specific_drivers_enabled`` to True will enable this feature, causing +keystone to look in the ``domain_config_dir`` for config files of the form:: + + keystone..conf + +Options given in the domain specific configuration file will override those in the +primary configuration file for the specified domain only. Domains without a specific +configuration file will continue to use the options from the primary configuration +file. + Authentication Plugins ---------------------- -- cgit