Go Daddy has a large Active Directory (AD) deployment that serves many purposes for our corporate and hosting infrastructure. In building our private cloud, we've leveraged AD to power Keystone's identity service, VM authentication, and security discovery and auditing. In this talk, we'll discuss exactly how we've configured OpenStack to work well with AD, other open source tools we've used to achieve our desired functionality, and the lessons we've learned along the way. Specifically, we'll cover:
- Keystone's LDAP capabilities
- Using LDAP for OpenStack authentication
- Using LDAP as a store for projects and roles (and why we chose not to use this feature)
- The quirky differences between AD and LDAP and how those can impact your Keystone configuration, including known outstanding bugs (as of Havana) related to AD integration and their workarounds
- How we used the open source tool PowerBroker Identity Services to back VM authentication and possible alternative solutions
- Techniques we've used to maintain and scale the relationship between OpenStack and AD
- Using AD groups cohesively across our company's platform including: OpenStack, GitHub, CI/CD, Finance, and more