Separate role authorization and user authentication
- When you configure the Identity service to use an LDAP back
- end, you can split authentication and authorization using the
+ When you configure the Identity service to use LDAP back
+ ends, you can split authentication and authorization using the
Assignments feature.The Assignments feature enables administrators to manage
- project role authorization using the Identity service's own SQL
+ project role authorization using the Identity service SQL
database, while still providing user authentication through the
LDAP directory.To configure this:Separating role authorization and user authentication
through Assignments
+ Modify the /etc/keystone/keystone.conf
+ configuration file for a single LDAP server, or
+ etc/domains/keystone.DOMAIN_NAME.conf
+ files for multiple LDAP back ends, performing the following actions:Configure the Identity service to authenticate users
- through the LDAP driver. To do so, first find the
- [identity] section in the
- /etc/keystone/keystone.conf configuration
- file. Then, set the driver configuration
- key in that section to
+ through the LDAP driver. In the [identity] section, set
+ the driver configuration key to
keystone.identity.backends.ldap.Identity:
[identity]
driver = keystone.identity.backends.ldap.Identity
- Next, enable the Assignment driver. To do so, find the
- [assignment] section in the
- /etc/keystone/keystone.conf configuration
- file. Then, set the driver configuration key in
- that section to
- keystone.assignment.backends.sql.Assignment:
+ Enable the Assignment driver. In the
+ [assignment] section, set the driver
+ configuration key to keystone.assignment.backends.sql.Assignment:
[assignment]
driver = keystone.assignment.backends.sql.Assignment
@@ -42,10 +40,21 @@ driver = keystone.assignment.backends.sql.Assignment
On
distributions that include
openstack-config, you can
- configure both drivers by running the following commands instead:
-
+ configure both drivers by running the following commands.
+
+
+ For a single LDAP server:#openstack-config --set /etc/keystone/keystone.conf \
identity driver keystone.identity.backends.ldap.Identity#openstack-config --set /etc/keystone/keystone.conf \
assignment driver keystone.assignment.backends.sql.Assignment
+
+
+ For multiple LDAP back ends:
+#openstack-config --set /etc/keystone/keystone.conf \
+ identity driver keystone.identity.backends.ldap.Identity
+ #openstack-config --set etc/domains/keystone.DOMAIN_NAME.conf \
+ assignment driver keystone.assignment.backends.sql.Assignment
+
+
diff --git a/doc/common/section_keystone_config_ldap.xml b/doc/common/section_keystone_config_ldap.xml
index 84702294f3..b4858192c6 100644
--- a/doc/common/section_keystone_config_ldap.xml
+++ b/doc/common/section_keystone_config_ldap.xml
@@ -5,11 +5,11 @@
version="5.0"
xml:id="configuring-keystone-for-ldap-backend">
Integrate Identity with LDAP
- Identity Service supports integration with an existing LDAP
- directory for authentication and authorization
+ Identity Service supports integration with existing LDAP
+ directories for authentication and authorization
services.
- For OpenStack Identity to access an LDAP back end, you must
+ For OpenStack Identity to access LDAP servers, you must
enable the boolean
value for SELinux on the Identity server. To enable and
make the option persistent across reboots:
@@ -17,23 +17,20 @@
You can integrate Identity with a single LDAP
- server.
+ server, or multiple back ends using domain-specific configuration files.
- To configure Identity, set options in the
- /etc/keystone/keystone.conf file.
- Modify these examples as needed.
- To integrate Identity with LDAP
+ To integrate Identity with a LDAP serverEnable the LDAP driver in the
- keystone.conf file:
+ /etc/keystone/keystone.conf file:[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.IdentityDefine the destination LDAP server in the
- keystone.conf file:
+ /etc/keystone/keystone.conf file:
[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
@@ -89,10 +86,114 @@ role_allow_delete = False
authorization are unavailable.
+
+ To integrate Identity with multiple back ends
+
+ Set the following options in the
+ /etc/keystone/keystone.conf file:
+
+
+ Enable the LDAP driver:
+ [identity]
+#driver = keystone.identity.backends.sql.Identity
+driver = keystone.identity.backends.ldap.Identity
+
+
+ Enable domain-specific drivers:
+ [identity]
+domain_specific_drivers_enabled = True
+domain_config_dir = /etc/keystone/domains
+
+
+
+
+ Restart the service:
+ # service keystone restart
+
+
+ List the domains using the dashboard, or the OpenStackClient
+ CLI. Refer to the Command List
+ for a list of OpenStackClient commands.
+
+
+ Create domains using OpenStack dashboard, or the
+ OpenStackClient CLI.
+
+
+ For each domain, create a domain-specific configuration
+ file in the /etc/keystone/domains directory.
+ Use the file naming convention keystone.DOMAIN_NAME.conf,
+ where DOMAIN_NAME
+ is the domain name assigned in the previous step.
+ The options set in the
+ /etc/keystone/domains/keystone.DOMAIN_NAME.conf
+ file will override options in the /etc/keystone/keystone.conf
+ file.
+
+
+ Define the destination LDAP server in the
+ /etc/keystone/domains/keystone.DOMAIN_NAME.conf file. For example:
+ [ldap]
+url = ldap://localhost
+user = dc=Manager,dc=example,dc=org
+password = samplepassword
+suffix = dc=example,dc=org
+use_dumb_member = False
+allow_subtree_delete = False
+
+
+ Create the organizational units (OU) in the LDAP
+ directory, and define their corresponding location in
+ the /etc/keystone/domains/keystone.DOMAIN_NAME.conf
+ file. For example:
+ [ldap]
+user_tree_dn = ou=Users,dc=example,dc=org
+user_objectclass = inetOrgPerson
+
+tenant_tree_dn = ou=Groups,dc=example,dc=org
+tenant_objectclass = groupOfNames
+
+role_tree_dn = ou=Roles,dc=example,dc=org
+role_objectclass = organizationalRole
+
+ These schema attributes are extensible for
+ compatibility with various schemas. For example,
+ this entry maps to the person
+ attribute in Active Directory:
+ user_objectclass = person
+
+
+
+ A read-only implementation is recommended for LDAP
+ integration. These permissions are applied to object
+ types in the /etc/keystone/domains/keystone.DOMAIN_NAME.conf
+ file:
+ [ldap]
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+tenant_allow_create = False
+tenant_allow_update = False
+tenant_allow_delete = False
+
+role_allow_create = False
+role_allow_update = False
+role_allow_delete = False
+
+
+ Restart the Identity service:
+ #service keystone restart
+ During service restart, authentication and
+ authorization are unavailable.
+
+ Additional LDAP integration settingsSet these options in the
- keystone.conf file.
+ /etc/keystone/keystone.conf file for a single LDAP server, or
+ /etc/keystone/domains/keystone.DOMAIN_NAME.conf files for
+ multiple back ends.