LDAP integration with openstack Keystone

Keystone supports integration with an existing LDAP directory for authentication and authorization services. I have tested this schema with Ubuntu 14.04, CentOS 6.4 openLDAP with openstack icehouse and its successfully connected. Use the following steps to LDAP integration with openstack Keystone.

Install LDAP on Ubuntu or Centos

sudo apt-get install slapd ldap-utils

sudo dpkg-reconfigure slapd

set Domain Name to openstack.org Set organization to openstack
ldapsearch -x -W -D”cn=admin,dc=openstack,dc=org” -b dc=openstack,dc=org }}
create openstack.ldif file and update the following openstack schema.
vi openstack.ldif

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example Inc
dc: example

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# Users, example.com
dn: ou=Users,dc=example,dc=com
ou: users
objectClass: organizationalUnit

# Roles, example.com
dn: ou=Roles,dc=example,dc=com
ou: roles
objectClass: organizationalUnit

# Tenants, example.com
dn: ou=Tenants,dc=example,dc=com
ou: tenants
objectClass: organizationalUnit

# demo, Users, example.com
dn: cn=demo,ou=Users,dc=example,dc=com
cn: demo
displayName: demo
givenName: demo
mail: [email protected]
objectClass: inetOrgPerson
objectClass: top
sn: demo
uid: demo

# admin, Tenants, example.com
dn: cn=admin,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
description: Openstack admin Tenant
member: cn=admin,ou=Users,dc=example,dc=com
ou: admin
cn: admin

# admin, Users, example.com
dn: cn=admin,ou=Users,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
sn: admin
cn: admin

# admin, Roles, example.com
dn: cn=admin,ou=Roles,dc=example,dc=com
objectClass: organizationalRole
ou: admin
cn: admin

# _member_, admin, Tenants, example.com
dn: cn=_member_,cn=admin,ou=Tenants,dc=example,dc=com
objectClass: organizationalRole
roleOccupant: cn=admin,ou=Users,dc=example,dc=com
roleOccupant: cn=gopal,ou=Users,dc=example,dc=com
cn: _member_

# _member_, Roles, example.com
dn: cn=_member_,ou=Roles,dc=example,dc=com
objectClass: organizationalRole
ou: _member_
cn: _member_

# demo, Tenants, example.com
dn: cn=demo,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
cn: demo
member: cn=demo,ou=Users,dc=example,dc=com
description: Openstack demo Tenant
ou: demo

# admin, demo, Tenants, example.com
dn: cn=admin,cn=demo,ou=Tenants,dc=example,dc=com
objectClass: organizationalRole
roleOccupant: cn=demo,ou=Users,dc=example,dc=com
cn: admin

# admin, admin, Tenants, example.com
dn: cn=admin,cn=admin,ou=Tenants,dc=example,dc=com
objectClass: organizationalRole
roleOccupant: cn=admin,ou=Users,dc=example,dc=com
roleOccupant: cn=amal,ou=Users,dc=example,dc=com
cn: admin

# nova, Users, example.com
dn: cn=nova,ou=Users,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
sn: nova
cn: nova

# service, Tenants, example.com
dn: cn=service,ou=Tenants,dc=example,dc=com
objectClass: groupOfNames
ou: service
description: Openstack service Tenant
cn: service
member: cn=cinder,ou=Users,dc=example,dc=com
member: cn=nova,ou=Users,dc=example,dc=com

# cinder, Users, example.com
dn: cn=cinder,ou=Users,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
sn: cinder
cn: cinder

# admin, service, Tenants, example.com
dn: cn=admin,cn=service,ou=Tenants,dc=example,dc=com
objectClass: organizationalRole
roleOccupant: cn=nova,ou=Users,dc=example,dc=com
roleOccupant: cn=cinder,ou=Users,dc=example,dc=com
cn: admin

# gopal, Users, example.com
dn: cn=gopal,ou=Users,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: gopal
sn: gopal

# search result
search: 2
result: 0 Success

# numResponses: 21
# numEntries: 20

Add openstack.ldif ldap schema

ldapadd -x -W -D”cn=admin,dc=example,dc=com” -f openstack.ldif

Thats all!!!

Update nova, cinder, admin, demo user account passwords via LDAP client according to nova.conf cinder.conf password settings.

 

Once successfully added, login your openstack keystone server.
For OpenStack Identity to access an LDAP back end, you must enable the authlogin_nsswitch_use_ldap boolean value for SELinux on the Identity server.

# setsebool -P authlogin_nsswitch_use_ldap

Enable the LDAP driver in the keystone.conf file and update the following settings

admin_workers = 2
max_token_size = 16384
debug = True
admin_bind_host = 192.168.1.183
member_role_name = _member_
member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab

[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity

[assignment]
driver = keystone.assignment.backends.sql.Assignment

 

LDAP integration with openstack Keystone, Define the destination LDAP server in the keystone.conf file:
[ldap]

url = ldap://192.168.1.183
user = cn=admin,dc=example,dc=com
password = secret
suffix = cn=example,cn=com
use_dumb_member = False
tree_dn = dc=example,dc=com

user_tree_dn = ou=Users,dc=example,dc=com
user_objectclass = inetOrgPerson
user_id_attribute = cn

role_tree_dn = ou=Roles,dc=example,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_member_attribute = roleOccupant

tenant_tree_dn = ou=Tenants,dc=example,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn

user_allow_create = True
user_allow_update = True
user_allow_delete = True

tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_allow_create = True
role_allow_update = True
role_allow_delete = True

 

service keystone restart

You are almost done!! Try to login your openstack and if you are received authorized error, please use the following steps.

Solution1:

You are not authorized for any projects

Update admin user account for project authorization and role.

use keystonerc admin credential to update via command line

example:

vi  keystonerc_admin

export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://192.168.1.183:5000/v2.0/
export PS1='[\[email protected]\h \W(keystone_admin)]\$ ‘
export SERVICE_ENDPOINT=http://192.168.1.183:35357/v2.0/
export SERVICE_TOKEN=048f27d46b4f4eddb057f5f8b529d599

#./keystonerc_admin

Authorize your default users for projects.

[[email protected] ~]#keystone user-role-add –user=admin –role=admin –tenant=admin

[[email protected] ~]# keystone user-role-add –user=nova –role=admin –tenant=services
[[email protected] ~]# keystone user-role-add –user=neutron –role=admin –tenant=services
[[email protected] ~]# keystone user-role-add –user=swift –role=admin –tenant=services
[[email protected] ~]# keystone user-role-add –user=cinder –role=admin –tenant=services
[[email protected] ~]# keystone user-role-add –user=glance –role=admin –tenant=services
[[email protected] ~]# keystone user-role-add –user=ceilometer –role=admin –tenant=services

login your openstack with admin credential.

 

Solution2:
Check your ldap write permission if you have any permission issue while modify.

/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

olcAccess: {3}to * by dn=”cn=admin,dc=example,dc=com” write by * write

 

  • Prince Tyagi

    I am still unable to get the user list using the configuration provided above.. Please help me..