The Identity service supports the use of TLS to encrypt LDAP traffic. Before configuring this, you must first verify where your certificate authority file is located. For more information, see the section called “Certificates for PKI”.
Once you verify the location of your certificate authority file:
Procedure 2.3. Configuring TLS encryption on LDAP traffic
Open the
/etc/keystone/keystone.conf
configuration file.Find the
[ldap]
section.In the
[ldap]
section, set theuse_tls
configuration key toTrue
. Doing so will enable TLS.Configure the Identity service to use your certificate authorities file. To do so, set the
tls_cacertfile
configuration key in theldap
section to the certificate authorities file's path.Note You can also set the
tls_cacertdir
(also in theldap
section) to the directory where all certificate authorities files are kept. If bothtls_cacertfile
andtls_cacertdir
are set, then the latter will be ignored.Specify what client certificate checks to perform on incoming TLS sessions from the LDAP server. To do so, set the
tls_req_cert
configuration key in the[ldap]
section todemand
,allow
, ornever
:demand
: a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.allow
: a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.never
: a certificate will never be requested.
On distributions that include openstack-config, you can configure TLS encryption on LDAP traffic by running the following commands instead:
# openstack --config --set /etc/keystone/keystone.conf \ ldap use_tls True # openstack-config --set /etc/keystone/keystone.conf \ ldap tls_cacertfileCA_FILE
# openstack-config --set /etc/keystone/keystone.conf \ ldap tls_req_certCERT_BEHAVIOR
Where:
CA_FILE
is the absolute path to the certificate authorities file that should be used to encrypt LDAP traffic.CERT_BEHAVIOR
: specifies what client certificate checks to perform on an incoming TLS session from the LDAP server (demand
,allow
, ornever
).