From f278f72e1ecce3d99e7cacf2504283d60cd5818c Mon Sep 17 00:00:00 2001 From: darrenchan Date: Mon, 2 Feb 2015 14:14:20 +1100 Subject: [PATCH] Added information on configuring keystone for multiple LDAP servers Updated content to include: 1. Configuring keystone for multiple back ends using domain-specific configuration files 2. Configuring Assignments for multiple LDAP backends Change-Id: Ib0705e90da4f0a4bafd493883545d36fa737bc3e backport: juno Closes-Bug: #1386768 --- ...ction_keystone_config_ldap-assignments.xml | 41 +++--- doc/common/section_keystone_config_ldap.xml | 123 ++++++++++++++++-- 2 files changed, 137 insertions(+), 27 deletions(-) diff --git a/doc/common/section_keystone_config_ldap-assignments.xml b/doc/common/section_keystone_config_ldap-assignments.xml index 72efe3aebb..2ae7ff575e 100644 --- a/doc/common/section_keystone_config_ldap-assignments.xml +++ b/doc/common/section_keystone_config_ldap-assignments.xml @@ -5,35 +5,33 @@ version="5.0" xml:id="configuring-keystone-for-ldap-backend-assignments"> Separate role authorization and user authentication - When you configure the Identity service to use an LDAP back - end, you can split authentication and authorization using the + When you configure the Identity service to use LDAP back + ends, you can split authentication and authorization using the Assignments feature. The Assignments feature enables administrators to manage - project role authorization using the Identity service's own SQL + project role authorization using the Identity service SQL database, while still providing user authentication through the LDAP directory. To configure this: Separating role authorization and user authentication through Assignments + Modify the /etc/keystone/keystone.conf + configuration file for a single LDAP server, or + etc/domains/keystone.DOMAIN_NAME.conf + files for multiple LDAP back ends, performing the following actions: Configure the Identity service to authenticate users - through the LDAP driver. To do so, first find the - [identity] section in the - /etc/keystone/keystone.conf configuration - file. Then, set the driver configuration - key in that section to + through the LDAP driver. In the [identity] section, set + the driver configuration key to keystone.identity.backends.ldap.Identity: [identity] driver = keystone.identity.backends.ldap.Identity - Next, enable the Assignment driver. To do so, find the - [assignment] section in the - /etc/keystone/keystone.conf configuration - file. Then, set the driver configuration key in - that section to - keystone.assignment.backends.sql.Assignment: + Enable the Assignment driver. In the + [assignment] section, set the driver + configuration key to keystone.assignment.backends.sql.Assignment: [assignment] driver = keystone.assignment.backends.sql.Assignment @@ -42,10 +40,21 @@ driver = keystone.assignment.backends.sql.Assignment On distributions that include openstack-config, you can - configure both drivers by running the following commands instead: - + configure both drivers by running the following commands. + + + For a single LDAP server: # openstack-config --set /etc/keystone/keystone.conf \ identity driver keystone.identity.backends.ldap.Identity # openstack-config --set /etc/keystone/keystone.conf \ assignment driver keystone.assignment.backends.sql.Assignment + + + For multiple LDAP back ends: +# openstack-config --set /etc/keystone/keystone.conf \ + identity driver keystone.identity.backends.ldap.Identity + # openstack-config --set etc/domains/keystone.DOMAIN_NAME.conf \ + assignment driver keystone.assignment.backends.sql.Assignment + + diff --git a/doc/common/section_keystone_config_ldap.xml b/doc/common/section_keystone_config_ldap.xml index 84702294f3..b4858192c6 100644 --- a/doc/common/section_keystone_config_ldap.xml +++ b/doc/common/section_keystone_config_ldap.xml @@ -5,11 +5,11 @@ version="5.0" xml:id="configuring-keystone-for-ldap-backend"> Integrate Identity with LDAP - Identity Service supports integration with an existing LDAP - directory for authentication and authorization + Identity Service supports integration with existing LDAP + directories for authentication and authorization services. - For OpenStack Identity to access an LDAP back end, you must + For OpenStack Identity to access LDAP servers, you must enable the boolean value for SELinux on the Identity server. To enable and make the option persistent across reboots: @@ -17,23 +17,20 @@ You can integrate Identity with a single LDAP - server. + server, or multiple back ends using domain-specific configuration files. - To configure Identity, set options in the - /etc/keystone/keystone.conf file. - Modify these examples as needed. - To integrate Identity with LDAP + To integrate Identity with a LDAP server Enable the LDAP driver in the - keystone.conf file: + /etc/keystone/keystone.conf file: [identity] #driver = keystone.identity.backends.sql.Identity driver = keystone.identity.backends.ldap.Identity Define the destination LDAP server in the - keystone.conf file: + /etc/keystone/keystone.conf file: [ldap] url = ldap://localhost user = dc=Manager,dc=example,dc=org @@ -89,10 +86,114 @@ role_allow_delete = False authorization are unavailable. + + To integrate Identity with multiple back ends + + Set the following options in the + /etc/keystone/keystone.conf file: + + + Enable the LDAP driver: + [identity] +#driver = keystone.identity.backends.sql.Identity +driver = keystone.identity.backends.ldap.Identity + + + Enable domain-specific drivers: + [identity] +domain_specific_drivers_enabled = True +domain_config_dir = /etc/keystone/domains + + + + + Restart the service: + # service keystone restart + + + List the domains using the dashboard, or the OpenStackClient + CLI. Refer to the Command List + for a list of OpenStackClient commands. + + + Create domains using OpenStack dashboard, or the + OpenStackClient CLI. + + + For each domain, create a domain-specific configuration + file in the /etc/keystone/domains directory. + Use the file naming convention keystone.DOMAIN_NAME.conf, + where DOMAIN_NAME + is the domain name assigned in the previous step. + The options set in the + /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file will override options in the /etc/keystone/keystone.conf + file. + + + Define the destination LDAP server in the + /etc/keystone/domains/keystone.DOMAIN_NAME.conf file. For example: + [ldap] +url = ldap://localhost +user = dc=Manager,dc=example,dc=org +password = samplepassword +suffix = dc=example,dc=org +use_dumb_member = False +allow_subtree_delete = False + + + Create the organizational units (OU) in the LDAP + directory, and define their corresponding location in + the /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file. For example: + [ldap] +user_tree_dn = ou=Users,dc=example,dc=org +user_objectclass = inetOrgPerson + +tenant_tree_dn = ou=Groups,dc=example,dc=org +tenant_objectclass = groupOfNames + +role_tree_dn = ou=Roles,dc=example,dc=org +role_objectclass = organizationalRole + + These schema attributes are extensible for + compatibility with various schemas. For example, + this entry maps to the person + attribute in Active Directory: + user_objectclass = person + + + + A read-only implementation is recommended for LDAP + integration. These permissions are applied to object + types in the /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file: + [ldap] +user_allow_create = False +user_allow_update = False +user_allow_delete = False + +tenant_allow_create = False +tenant_allow_update = False +tenant_allow_delete = False + +role_allow_create = False +role_allow_update = False +role_allow_delete = False + + + Restart the Identity service: + # service keystone restart + During service restart, authentication and + authorization are unavailable. + + Additional LDAP integration settings Set these options in the - keystone.conf file. + /etc/keystone/keystone.conf file for a single LDAP server, or + /etc/keystone/domains/keystone.DOMAIN_NAME.conf files for + multiple back ends.