Keystone supports integration with an existing LDAP directory for authentication and authorization services. I have tested this schema with Ubuntu 14.04, CentOS 6.4 openLDAP with openstack icehouse and its successfully connected. Use the following steps to LDAP integration with openstack Keystone.
Install LDAP on Ubuntu or Centos
sudo apt-get install slapd ldap-utils
sudo dpkg-reconfigure slapd
set Domain Name to openstack.org Set organization to openstack
ldapsearch -x -W -D”cn=admin,dc=openstack,dc=org” -b dc=openstack,dc=org }}
create openstack.ldif file and update the following openstack schema.
vi openstack.ldif
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example Inc dc: example # admin, example.com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # Users, example.com dn: ou=Users,dc=example,dc=com ou: users objectClass: organizationalUnit # Roles, example.com dn: ou=Roles,dc=example,dc=com ou: roles objectClass: organizationalUnit # Tenants, example.com dn: ou=Tenants,dc=example,dc=com ou: tenants objectClass: organizationalUnit # demo, Users, example.com dn: cn=demo,ou=Users,dc=example,dc=com cn: demo displayName: demo givenName: demo mail: [email protected] objectClass: inetOrgPerson objectClass: top sn: demo uid: demo # admin, Tenants, example.com dn: cn=admin,ou=Tenants,dc=example,dc=com objectClass: groupOfNames description: Openstack admin Tenant member: cn=admin,ou=Users,dc=example,dc=com ou: admin cn: admin # admin, Users, example.com dn: cn=admin,ou=Users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson sn: admin cn: admin # admin, Roles, example.com dn: cn=admin,ou=Roles,dc=example,dc=com objectClass: organizationalRole ou: admin cn: admin # _member_, admin, Tenants, example.com dn: cn=_member_,cn=admin,ou=Tenants,dc=example,dc=com objectClass: organizationalRole roleOccupant: cn=admin,ou=Users,dc=example,dc=com roleOccupant: cn=gopal,ou=Users,dc=example,dc=com cn: _member_ # _member_, Roles, example.com dn: cn=_member_,ou=Roles,dc=example,dc=com objectClass: organizationalRole ou: _member_ cn: _member_ # demo, Tenants, example.com dn: cn=demo,ou=Tenants,dc=example,dc=com objectClass: groupOfNames cn: demo member: cn=demo,ou=Users,dc=example,dc=com description: Openstack demo Tenant ou: demo # admin, demo, Tenants, example.com dn: cn=admin,cn=demo,ou=Tenants,dc=example,dc=com objectClass: organizationalRole roleOccupant: cn=demo,ou=Users,dc=example,dc=com cn: admin # admin, admin, Tenants, example.com dn: cn=admin,cn=admin,ou=Tenants,dc=example,dc=com objectClass: organizationalRole roleOccupant: cn=admin,ou=Users,dc=example,dc=com roleOccupant: cn=amal,ou=Users,dc=example,dc=com cn: admin # nova, Users, example.com dn: cn=nova,ou=Users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson sn: nova cn: nova # service, Tenants, example.com dn: cn=service,ou=Tenants,dc=example,dc=com objectClass: groupOfNames ou: service description: Openstack service Tenant cn: service member: cn=cinder,ou=Users,dc=example,dc=com member: cn=nova,ou=Users,dc=example,dc=com # cinder, Users, example.com dn: cn=cinder,ou=Users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson sn: cinder cn: cinder # admin, service, Tenants, example.com dn: cn=admin,cn=service,ou=Tenants,dc=example,dc=com objectClass: organizationalRole roleOccupant: cn=nova,ou=Users,dc=example,dc=com roleOccupant: cn=cinder,ou=Users,dc=example,dc=com cn: admin # gopal, Users, example.com dn: cn=gopal,ou=Users,dc=example,dc=com objectClass: person objectClass: inetOrgPerson cn: gopal sn: gopal # search result search: 2 result: 0 Success # numResponses: 21 # numEntries: 20
Add openstack.ldif ldap schema
ldapadd -x -W -D”cn=admin,dc=example,dc=com” -f openstack.ldif
Thats all!!!
Update nova, cinder, admin, demo user account passwords via LDAP client according to nova.conf cinder.conf password settings.
Once successfully added, login your openstack keystone server.
For OpenStack Identity to access an LDAP back end, you must enable the authlogin_nsswitch_use_ldap boolean value for SELinux on the Identity server.
# setsebool -P authlogin_nsswitch_use_ldap
Enable the LDAP driver in the keystone.conf file and update the following settings
admin_workers = 2
max_token_size = 16384
debug = True
admin_bind_host = 192.168.1.183
member_role_name = _member_
member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity
[assignment]
driver = keystone.assignment.backends.sql.Assignment
LDAP integration with openstack Keystone, Define the destination LDAP server in the keystone.conf file:
[ldap]
url = ldap://192.168.1.183
user = cn=admin,dc=example,dc=com
password = secret
suffix = cn=example,cn=com
use_dumb_member = False
tree_dn = dc=example,dc=com
user_tree_dn = ou=Users,dc=example,dc=com
user_objectclass = inetOrgPerson
user_id_attribute = cn
role_tree_dn = ou=Roles,dc=example,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_member_attribute = roleOccupant
tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
user_allow_create = True
user_allow_update = True
user_allow_delete = True
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True
role_allow_create = True
role_allow_update = True
role_allow_delete = True
service keystone restart
You are almost done!! Try to login your openstack and if you are received authorized error, please use the following steps.
Solution1:
You are not authorized for any projects
Update admin user account for project authorization and role.
use keystonerc admin credential to update via command line
example:
vi keystonerc_admin
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://192.168.1.183:5000/v2.0/
export PS1='[\u@\h \W(keystone_admin)]\$ ‘
export SERVICE_ENDPOINT=http://192.168.1.183:35357/v2.0/
export SERVICE_TOKEN=048f27d46b4f4eddb057f5f8b529d599
#./keystonerc_admin
Authorize your default users for projects.
[root@ldappack ~]#keystone user-role-add –user=admin –role=admin –tenant=admin [root@ldappack ~]# keystone user-role-add –user=nova –role=admin –tenant=services[root@ldappack ~]# keystone user-role-add –user=neutron –role=admin –tenant=services
[root@ldappack ~]# keystone user-role-add –user=swift –role=admin –tenant=services
[root@ldappack ~]# keystone user-role-add –user=cinder –role=admin –tenant=services
[root@ldappack ~]# keystone user-role-add –user=glance –role=admin –tenant=services
[root@ldappack ~]# keystone user-role-add –user=ceilometer –role=admin –tenant=services
login your openstack with admin credential.
Solution2:
Check your ldap write permission if you have any permission issue while modify.
/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
olcAccess: {3}to * by dn=”cn=admin,dc=example,dc=com” write by * write
Related Posts:
