Cleanup LDAP integration guide

This commit fixes a grammar issue in the LDAP integration guide
and it adds prompts to the command-line examples to be more
explicit about where or how commands are being run.

Change-Id: Ic6a5adfbcf2841656929e6c3875889a31d314089
This commit is contained in:
Lance Bragstad 2019-01-04 15:21:43 +00:00
parent 9689083d74
commit 8e802da406

View File

@ -12,14 +12,14 @@ Introduction
LDAP support in keystone is read-only. You can use it to back an entire LDAP support in keystone is read-only. You can use it to back an entire
OpenStack deployment to a single LDAP server, or you can use it to back OpenStack deployment to a single LDAP server, or you can use it to back
separate LDAP servers to specific keystone domains. Users within those domains separate LDAP servers to specific keystone domains. Users within those domains
will can authenticate against keystone, assume role assignments, and interact can authenticate against keystone, assume role assignments, and interact with
with other OpenStack services. other OpenStack services.
Configuration Configuration
============= =============
To deploy an OpenLDAP server, make sure ``ldap`` is added to the list of To deploy an OpenLDAP server, make sure ``ldap`` is added to the list of
``ENABLED_SERVICES``:: ``ENABLED_SERVICES`` in the ``local.conf`` file::
enable_service ldap enable_service ldap
@ -35,9 +35,9 @@ Devstack will prompt you for a password when running ``stack.sh`` if
At this point, devstack should have everything it needs to deploy OpenLDAP, At this point, devstack should have everything it needs to deploy OpenLDAP,
bootstrap it with a minimal set of users, and configure it to back to a domain bootstrap it with a minimal set of users, and configure it to back to a domain
in keystone:: in keystone. You can do this by running the ``stack.sh`` script::
./stack.sh $ ./stack.sh
Once ``stack.sh`` completes, you should have a running keystone deployment with Once ``stack.sh`` completes, you should have a running keystone deployment with
a basic set of users. It is important to note that not all users will live a basic set of users. It is important to note that not all users will live
@ -63,7 +63,7 @@ Listing Users
To list all users in LDAP directly, you can use ``ldapsearch`` with the LDAP To list all users in LDAP directly, you can use ``ldapsearch`` with the LDAP
user bootstrapped by devstack:: user bootstrapped by devstack::
ldapsearch -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \ $ ldapsearch -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
-H ldap://localhost -b dc=openstack,dc=org -H ldap://localhost -b dc=openstack,dc=org
As you can see, devstack creates an OpenStack domain called ``openstack.org`` As you can see, devstack creates an OpenStack domain called ``openstack.org``
@ -93,7 +93,7 @@ example LDIF that can be used to create a new LDAP user, let's call it
Now, we use the ``Manager`` user to create a user for Peter in LDAP:: Now, we use the ``Manager`` user to create a user for Peter in LDAP::
ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \ $ ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
-H ldap://localhost -c -f peter.ldif.in -H ldap://localhost -c -f peter.ldif.in
We should be able to assign Peter roles on projects. After Peter has some level We should be able to assign Peter roles on projects. After Peter has some level
@ -125,7 +125,7 @@ Deleting Users
We can use the same basic steps to remove users from LDAP, but instead of using We can use the same basic steps to remove users from LDAP, but instead of using
LDIFs, we can just pass the ``dn`` of the user we want to delete:: LDIFs, we can just pass the ``dn`` of the user we want to delete::
ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \ $ ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
-H ldap://localhost cn=peter,ou=Users,dc=openstack,dc=org -H ldap://localhost cn=peter,ou=Users,dc=openstack,dc=org
Group Management Group Management
@ -153,7 +153,7 @@ Let's define a specific group with the following LDIF::
We can create the group using the same ``ldapadd`` command as we did with We can create the group using the same ``ldapadd`` command as we did with
users:: users::
ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \ $ ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
-H ldap://localhost -c -f guardian-group.ldif.in -H ldap://localhost -c -f guardian-group.ldif.in
If we check the group membership in Horizon, we'll see that only Peter is a If we check the group membership in Horizon, we'll see that only Peter is a
@ -167,7 +167,7 @@ Deleting Groups
Just like users, groups can be deleted using the ``dn``:: Just like users, groups can be deleted using the ``dn``::
ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \ $ ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
-H ldap://localhost cn=guardians,ou=UserGroups,dc=openstack,dc=org -H ldap://localhost cn=guardians,ou=UserGroups,dc=openstack,dc=org
Note that this operation will not remove users within that group. It will only Note that this operation will not remove users within that group. It will only