Identity Service supports integration with an existing LDAP directory for authentication and authorization services.
Important | |
---|---|
For OpenStack Identity to access an LDAP back end, you must
enable the # setsebool -P authlogin_nsswitch_use_ldap |
Note | |
---|---|
You can integrate Identity with a single LDAP server. |
To configure Identity, set options in the
/etc/keystone/keystone.conf
file.
Modify these examples as needed.
Procedure 2.1. To integrate Identity with LDAP
Enable the LDAP driver in the
keystone.conf
file:[identity] #driver = keystone.identity.backends.sql.Identity driver = keystone.identity.backends.ldap.Identity
Define the destination LDAP server in the
keystone.conf
file:[ldap] url = ldap://localhost user = dc=Manager,dc=example,dc=org password = samplepassword suffix = dc=example,dc=org use_dumb_member = False allow_subtree_delete = False
Create the organizational units (OU) in the LDAP directory, and define their corresponding location in the
keystone.conf
file:[ldap] user_tree_dn = ou=Users,dc=example,dc=org user_objectclass = inetOrgPerson tenant_tree_dn = ou=Groups,dc=example,dc=org tenant_objectclass = groupOfNames role_tree_dn = ou=Roles,dc=example,dc=org role_objectclass = organizationalRole
Note These schema attributes are extensible for compatibility with various schemas. For example, this entry maps to the
person
attribute in Active Directory:user_objectclass = person
A read-only implementation is recommended for LDAP integration. These permissions are applied to object types in the
keystone.conf
file:[ldap] user_allow_create = False user_allow_update = False user_allow_delete = False tenant_allow_create = False tenant_allow_update = False tenant_allow_delete = False role_allow_create = False role_allow_update = False role_allow_delete = False
Restart the Identity service:
# service keystone restart
Warning During service restart, authentication and authorization are unavailable.
Additional LDAP integration settings. Set these options in the
keystone.conf
file.
- Filters
Use filters to control the scope of data presented through LDAP.
[ldap] user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org) tenant_filter = role_filter =
- LDAP Account Status
Mask account status values for compatibility with various directory services. Superfluous accounts are filtered with
user_filter
.For example, you can mask Active Directory account status attributes in the
keystone.conf
file:[ldap] user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512