OpenStack ManualsOpenStack Cloud Administrator Guide  - current

  Atom feed of this document
  
 

 Integrate Identity with LDAP

Separate role authorization and user authentication
Secure the OpenStack Identity service connection to an LDAP back end

Identity Service supports integration with an existing LDAP directory for authentication and authorization services.

[Important]Important

For OpenStack Identity to access an LDAP back end, you must enable the authlogin_nsswitch_use_ldap boolean value for SELinux on the Identity server. To enable and make the option persistent across reboots:

# setsebool -P authlogin_nsswitch_use_ldap
[Note]Note

You can integrate Identity with a single LDAP server.

To configure Identity, set options in the /etc/keystone/keystone.conf file. Modify these examples as needed.

 

Procedure 2.1. To integrate Identity with LDAP

  1. Enable the LDAP driver in the keystone.conf file:

    Select Text
    1
    2
    3
    [identity]
    #driver = keystone.identity.backends.sql.Identity
    driver = keystone.identity.backends.ldap.Identity

  2. Define the destination LDAP server in the keystone.conf file:

    Select Text
    1
    2
    3
    4
    5
    6
    7
    [ldap]
    url = ldap://localhost
    user = dc=Manager,dc=example,dc=org
    password = samplepassword
    suffix = dc=example,dc=org
    use_dumb_member = False
    allow_subtree_delete = False

  3. Create the organizational units (OU) in the LDAP directory, and define their corresponding location in the keystone.conf file:

    Select Text
    1
    2
    3
    4
    5
    6
    7
    8
    9
    [ldap]
    user_tree_dn = ou=Users,dc=example,dc=org
    user_objectclass = inetOrgPerson
    tenant_tree_dn = ou=Groups,dc=example,dc=org
    tenant_objectclass = groupOfNames
    role_tree_dn = ou=Roles,dc=example,dc=org
    role_objectclass = organizationalRole
    [Note]Note

    These schema attributes are extensible for compatibility with various schemas. For example, this entry maps to the person attribute in Active Directory:

    Select Text
    1
    user_objectclass = person

  4. A read-only implementation is recommended for LDAP integration. These permissions are applied to object types in the keystone.conf file:

    Select Text
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    [ldap]
    user_allow_create = False
    user_allow_update = False
    user_allow_delete = False
    tenant_allow_create = False
    tenant_allow_update = False
    tenant_allow_delete = False
    role_allow_create = False
    role_allow_update = False
    role_allow_delete = False

  5. Restart the Identity service:

    # service keystone restart
    [Warning]Warning

    During service restart, authentication and authorization are unavailable.

Additional LDAP integration settings. Set these options in the keystone.conf file.

Filters

Use filters to control the scope of data presented through LDAP.

Select Text
1
2
3
4
[ldap]
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =
LDAP Account Status

Mask account status values for compatibility with various directory services. Superfluous accounts are filtered with user_filter.

For example, you can mask Active Directory account status attributes in the keystone.conf file:

Select Text
1
2
3
4
[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page
Legal notices