This is a plugin for OpenStack Keystone for integration with LDAP (both "RFC 2307"-compliant servers and Active Directory).
User accounts (including authentication) are retrieved from LDAP. Keystone cannot modify or delete any user account: all editing has to be performed at LDAP server side.
Tenants are still stored at Keystone (as distinct from OpenStack implementation that stores them in LDAP).
Issue:
# yum install -y keystone-ldap
Login as root to your system and configure it.
Edit /etc/keystone/keystone.conf.
Change identity.driver:
[identity] driver = keystone_ldap.core.Identity
Provide LDAP-specific information:
[ldap] # URL of the organization’s LDAP server to query for # user information and group membership from url = ldap://<ldap server> # username to bind to the LDAP server with. # For an anonymous connection, set to empty string user = <user name> # password for the user identified by ldap.user password = <user password> # root of the tree containing all user accounts user_tree_dn = dc=mycompany,dc=net # root of the tree containing all group records group_tree_dn = ou=groups,dc=mycompany,dc=net # object class to recognize user records, e.g., # person, organizationalPerson, or inetOrgPerson user_objectclass = organizationalPerson # attribute that will be used as user login name by # OpenStack and Focus user_name_attribute = sAMAccountName # attribute that will be used to build user's DN # like uid=admin,dc=mycompany,dc=net or # cn=admin,dc=mycompany,dc=net user_id_attribute = cn # name of systenant (its and only its users are # treated as Admins) systenant = systenant
For RFC 2307, you may set:
user_objectclass = organizationalPerson user_name_attribute = uid user_id_attribute = uid systenant = systenant
For Active Directory, you may omit group_tree_dn and set:
user_objectclass = organizationalPerson user_name_attribute = sAMAccountName user_id_attribute = cn systenant = systenant
Now run a simple script to reconfigure Altai. The script takes two options: admin-login-name and admin-login-password:
# keystone-ldap-configure admin secret
Run on keystone's host:
# curl localhost:35357/v2.0/users -H "x-auth-token: $(grep '^admin_token' /etc/keystone/keystone.conf | cut -d = -f 2)" | python -mjson.tool
You should see a list of users known by LDAP. The request is performed with admin_token stored in /etc/keystone/keystone.conf, so, you need not to provide a password.
Example:
{ "users": [ { "email": "altai_admin@test.altai", "enabled": true, "fullName": "Admin Admin", "id": "QWRtaW4gQWRtaW4=", "memberOf": [ "altai_administrators" ], "name": "altai_administrator" }, { "email": "altai_user1@test.altai", "enabled": false, "fullName": "First User", "id": "Rmlyc3QgVXNlcg==", "memberOf": [ "altai_test", "altai_ad_poc" ], "name": "altai_user1" }, { "email": "altai_user2@altai.test", "enabled": true, "fullName": "Second User", "id": "U2Vjb25kIFVzZXI=", "memberOf": [ "altai_test", "altai_ad_poc" ], "name": "altai_user2" }, { "enabled": true, "fullName": "sys user", "id": "c3lzIHVzZXI=", "memberOf": [ "altai_administrators" ], "name": "_system" } ] }
Ensure that DEFAULT.debug is True at /etc/keystone/keystone.conf and look at /var/log/keystone/keystone.log.