Integrate Identity with LDAP

Separate role authorization and user authentication
Secure the OpenStack Identity service connection to an LDAP back end

Identity Service supports integration with an existing LDAP directory for authentication and authorization services.

Important

	Important
For OpenStack Identity to access an LDAP back end, you must enable the `authlogin_nsswitch_use_ldap` boolean value for SELinux on the Identity server. To enable and make the option persistent across reboots: # setsebool -P authlogin_nsswitch_use_ldap

For OpenStack Identity to access an LDAP back end, you must enable the authlogin_nsswitch_use_ldap boolean value for SELinux on the Identity server. To enable and make the option persistent across reboots:

# setsebool -P authlogin_nsswitch_use_ldap

	Note
	You can integrate Identity with a single LDAP server.

To configure Identity, set options in the /etc/keystone/keystone.conf file. Modify these examples as needed.

Procedure 2.1. To integrate Identity with LDAP

Enable the LDAP driver in the keystone.conf file:

[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity

Define the destination LDAP server in the keystone.conf file:

[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False

Create the organizational units (OU) in the LDAP directory, and define their corresponding location in the keystone.conf file:

[ldap]
user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole

Note

These schema attributes are extensible for compatibility with various schemas. For example, this entry maps to the person attribute in Active Directory:

user_objectclass = person

A read-only implementation is recommended for LDAP integration. These permissions are applied to object types in the keystone.conf file:

[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_allow_create = False
role_allow_update = False
role_allow_delete = False

Restart the Identity service:
```
# service keystone restart
```
Warning
During service restart, authentication and authorization are unavailable.

	Warning
During service restart, authentication and authorization are unavailable.

Additional LDAP integration settings. Set these options in the keystone.conf file.

Filters

Use filters to control the scope of data presented through LDAP.

[ldap]
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =

LDAP Account Status

Mask account status values for compatibility with various directory services. Superfluous accounts are filtered with user_filter.

For example, you can mask Active Directory account status attributes in the keystone.conf file:

[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices