openstack/openstack-manuals
Code Issues Proposed changes

Improvement for Integrate Identity with LDAP

Browse Source 
This fix imporve Integrate Identity with LDAP section in OpenStack Cloud
Administrator Guide - current. Update more additionnal configuration attributes
that can be used. Seprate basic LDAP configuration, Identity backend
configuration and Assignment backend configuration into three different
categories. Categorize configuration options by it's character.

Change-Id: I5640e9690aed962210582684e85d4e172bd265ff
Closes-bug: #1368082
This commit is contained in:
Rico Lin 2015-02-12 17:22:45 +08:00 committed by Andreas Jaeger
parent 604fb3565b
commit 7bdc679023
3 changed files with 455 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
doc/common/section_keystone_config_ldap-assignments.xml
View File

@ -4,57 +4,137 @@
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" version="5.0"
xml:id="configuring-keystone-for-ldap-backend-assignments"> xml:id="configuring-keystone-for-ldap-backend-assignments">
<title>Separate role authorization and user authentication</title> <title>Integrate assignment back end with LDAP</title>
<para>When you configure the Identity service to use LDAP back <para>When you configure the OpenStack Identity service to use LDAP
ends, you can split authentication and authorization using the servers, you can split authentication and authorization using the
<emphasis>Assignments</emphasis> feature.</para> <emphasis>assignment</emphasis> feature. Integrating the
<para>The Assignments feature enables administrators to manage assignment back end with LDAP allows administrators to use
project role authorization using the Identity service SQL projects (tenant), roles, domains, and role assignments
database, while still providing user authentication through the in LDAP.</para>
LDAP directory.</para> <note>
<para>To configure this:</para> <para>Using LDAP as an assignment back end is not recommended.</para>
</note>
<note>
<para>The OpenStack Identity service does not support domain-specific
assignment back ends.</para>
</note>
<important>
<para>For OpenStack Identity assignments to access LDAP servers, you
must define the destination LDAP server in
the <filename>keystone.conf</filename> file. For more information,
see <xref linkend="configuring-keystone-for-ldap-backend"/>.</para>
</important>
<procedure> <procedure>
<title>Separating role authorization and user authentication <title>Integrating assignment back ends with LDAP</title>
through Assignments</title> <step>
<para>Modify the <filename>/etc/keystone/keystone.conf</filename> <para>Enable the assignment driver. In the
configuration file for a single LDAP server, or <literal>[assignment]</literal> section, set the
<filename>etc/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename> <literal>driver</literal> configuration key to
files for multiple LDAP back ends, performing the following actions:</para> <literal>keystone.assignment.backends.sql.Assignment</literal>:</para>
<step> <programlisting language="ini">[assignment]
<para>Configure the Identity service to authenticate users #driver = keystone.assignment.backends.sql.Assignment
through the LDAP driver. In the <literal>[identity]</literal> section, set driver = keystone.assignment.backends.ldap.Assignment</programlisting>
the <literal>driver</literal> configuration key to </step>
<literal>keystone.identity.backends.ldap.Identity</literal>: <step>
</para> <para>Create the organizational units (OU) in the LDAP
<programlisting>[identity] directory, and define their corresponding location in
driver = keystone.identity.backends.ldap.Identity</programlisting> the <filename>keystone.conf</filename> file:</para>
</step> <programlisting language="ini">[ldap]
<step><para>Enable the Assignment driver. In the role_tree_dn =
<literal>[assignment]</literal> section, set the <literal>driver</literal> role_objectclass = inetOrgPerson
configuration key to <literal>keystone.assignment.backends.sql.Assignment</literal>:
</para> project_tree_dn = ou=Groups,dc=example,dc=org
<programlisting>[assignment] project_objectclass = groupOfNames</programlisting>
driver = keystone.assignment.backends.sql.Assignment</programlisting> <note>
</step> <para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the
<systemitem>groupOfNames</systemitem> attribute in
Active Directory:</para>
<programlisting language="ini">project_objectclass = groupOfNames</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
role_allow_create = False
role_allow_update = False
role_allow_delete = False
project_allow_create = False
project_allow_update = False
project_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the OpenStack Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure> </procedure>
<para os="rhel;centos;fedora;opensuse;sles">On <formalpara>
distributions that include <title>Additional LDAP integration settings</title>
<application>openstack-config</application>, you can <para>Set these options in the
configure both drivers by running the following commands.</para> <filename>/etc/keystone/keystone.conf</filename>
<itemizedlist> file for a single LDAP server, or
<listitem> <filename>/etc/keystone/domains/keystone.
<para>For a single LDAP server:</para> <replaceable>DOMAIN_NAME</replaceable>.conf</filename>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \ files for multiple back ends.</para>
identity driver keystone.identity.backends.ldap.Identity</userinput> </formalpara>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \ <variablelist>
assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen> <varlistentry>
</listitem> <term>Filters</term>
<listitem> <listitem>
<para>For multiple LDAP back ends:</para> <para>Use filters to control the scope of data
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \ presented through LDAP.</para>
identity driver keystone.identity.backends.ldap.Identity</userinput> <programlisting language="ini">[ldap]
<prompt>#</prompt> <userinput>openstack-config --set etc/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf \ project_filter = (member=cn=openstack-user,ou=workgroups,dc=example,dc=org)
assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen> role_filter = </programlisting>
</listitem> <warning><para>Filtering method</para></warning>
</itemizedlist> </listitem>
</varlistentry>
<varlistentry>
<term>Assignment attribute mapping</term>
<listitem>
<para>Mask account status values (include any additional
attribute mappings) for compatibility with various
directory services. Superfluous accounts are filtered with
<systemitem>user_filter</systemitem>.</para>
<para>Setting attribute ignore to list of attributes
stripped off on update.</para>
<programlisting language="ini">[ldap]
role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_additional_attribute_mapping =
role_attribute_ignore =
project_id_attribute = cn
project_name_attribute = ou
project_member_attribute = member
project_desc_attribute = description
project_enabled_attribute = enabled
project_domain_id_attribute = businessCategory
project_additional_attribute_mapping =
project_attribute_ignore =</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Enabled emulation</term>
<listitem>
<para>An alternative method to determine if a project is
enabled or not is to check if that project is a
member of the emulation group.</para>
<para>Use DN of the group entry to hold enabled
projects when using enabled emulation.</para>
<programlisting language="ini">[ldap]
project_enabled_emulation = false
project_enabled_emulation_dn = false</programlisting>
</listitem>
</varlistentry>
</variablelist>
</section> </section>

232
doc/common/section_keystone_config_ldap-identity.xml Normal file
View File

@ -0,0 +1,232 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="configuring-keystone-for-ldap-backend-identity">
<title>Integrate identity back end with LDAP</title>
<para>The identity back end contains information for users, groups, and
group member lists. Integrating the identity back end with LDAP allows
administrators to use users and groups in LDAP.</para>
<important>
<para>For OpenStack Identity Service to access LDAP servers, you must
define the destination LDAP server in the
<filename>keystone.conf</filename> file. For more information, see
<xref linkend="configuring-keystone-for-ldap-backend"/>.</para>
</important>
<procedure>
<title>Integrating an identity back end with LDAP</title>
<step>
<para>Enable the LDAP identity driver in the
<filename>keystone.conf</filename> file. This allows LDAP as
an identity back end:</para>
<programlisting language="ini">[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step>
<para>Create the organizational units (OU) in the LDAP
directory, and define the corresponding location in
the <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap]
user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson
group_tree_dn = ou=Groups,dc=example,dc=org
group_objectclass = groupOfNames</programlisting>
<note>
<para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the
<systemitem>person</systemitem> attribute in
Active Directory:</para>
<programlisting language="ini">user_objectclass = person</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the OpenStack Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure>
<procedure>
<title>Integrating identity with multiple back ends</title>
<step>
<para>Set the following options in the
<filename>/etc/keystone/keystone.conf</filename> file:</para>
<substeps>
<step>
<para>Enable the LDAP driver:</para>
<programlisting language="ini">[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step>
<para>Enable domain-specific drivers:</para>
<programlisting language="ini">[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains</programlisting>
</step>
</substeps>
</step>
<step>
<para>Restart the service:</para>
<screen><prompt>#</prompt> service keystone restart</screen>
</step>
<step>
<para>List the domains using the dashboard, or the OpenStackClient
CLI. Refer to the <link xlink:href="http://docs.openstack.org/developer/python-openstackclient/command-list.html">Command List</link>
for a list of OpenStackClient commands.</para>
</step>
<step>
<para>Create domains using OpenStack dashboard, or the
OpenStackClient CLI.</para>
</step>
<step>
<para>For each domain, create a domain-specific configuration
file in the <filename>/etc/keystone/domains</filename> directory.
Use the file naming convention <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>,
where <replaceable>DOMAIN_NAME</replaceable>
is the domain name assigned in the previous step.</para>
<note><para>The options set in the
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file will override options in the <filename>/etc/keystone/keystone.conf</filename>
file.</para></note>
</step>
<step>
<para>Define the destination LDAP server in the
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename> file. For example:</para>
<programlisting language="ini">[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False</programlisting>
</step>
<step>
<para>Create the organizational units (OU) in the LDAP
directories, and define their corresponding locations in
the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file. For example:</para>
<programlisting language="ini">[ldap]
user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson
group_tree_dn = ou=Groups,dc=example,dc=org
group_objectclass = groupOfNames</programlisting>
<note>
<para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the <systemitem>person</systemitem>
attribute in Active Directory:</para>
<programlisting language="ini">user_objectclass = person</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the OpenStack Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure>
<formalpara>
<title>Additional LDAP integration settings</title>
<para>Set these options in the
<filename>/etc/keystone/keystone.conf</filename>
file for a single LDAP server, or
<filename>/etc/keystone/domains/keystone.
<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
files for multiple back ends.</para>
</formalpara>
<variablelist>
<varlistentry>
<term>Filters</term>
<listitem>
<para>Use filters to control the scope of data
presented through LDAP.</para>
<programlisting language="ini">[ldap]
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
group_filter = </programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Identity attribute mapping</term>
<listitem>
<para>Mask account status values (include any additional
attribute mappings) for compatibility
with various directory services. Superfluous
accounts are filtered with
<systemitem>user_filter</systemitem>.</para>
<para>Setting attribute ignore to list of attributes
stripped off on update.</para>
<para>For example, you can mask Active Directory
account status attributes in the
<filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_id_attribute = cn
user_name_attribute = sn
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_invert = false
user_enabled_default = 51
user_default_project_id_attribute =
user_attribute_ignore = default_project_id,tenants
user_additional_attribute_mapping =
group_id_attribute = cn
group_name_attribute = ou
group_member_attribute = member
group_desc_attribute = description
group_attribute_ignore =
group_additional_attribute_mapping =</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Enabled emulation</term>
<listitem>
<para>An alternative method to determine if a user is
enabled or not is by checking if that user is a
member of the emulation group.</para>
<para>Use DN of the group entry to hold enabled
user when using enabled emulation.</para>
<programlisting language="ini">[ldap]
user_enabled_emulation = false
user_enabled_emulation_dn = false</programlisting>
</listitem>
</varlistentry>
</variablelist>
</section>

277
doc/common/section_keystone_config_ldap.xml
View File

@ -5,189 +5,59 @@
version="5.0" version="5.0"
xml:id="configuring-keystone-for-ldap-backend"> xml:id="configuring-keystone-for-ldap-backend">
<title>Integrate Identity with LDAP</title> <title>Integrate Identity with LDAP</title>
<para>Identity Service supports integration with existing LDAP <para>The Openstack Identity Service supports integration with
directories for authentication and authorization existing LDAP directories for authentication and authorization
services.</para> services.</para>
<para>When the Openstack Identity service is configured to use LDAP
back ends, you can split authentication (using the
<emphasis>identity</emphasis> feature) and
authorization (using the
<emphasis>assignment</emphasis> feature).</para>
<para>The identity feature enables administrators to manage
users and groups by each domain or the Openstack Identity Service entirely.</para>
<para>The Assignments feature enables administrators to manage
project role authorization using the Openstack Identity service SQL
database, while providing user authentication through the
LDAP directory.</para>
<important os="rhel;fedora;centos"> <important os="rhel;fedora;centos">
<para>For OpenStack Identity to access LDAP servers, you must <para>For OpenStack Identity service to access LDAP servers, you must
enable the <option>authlogin_nsswitch_use_ldap</option> boolean enable the <option>authlogin_nsswitch_use_ldap</option> boolean
value for SELinux on the Identity server. To enable and value for SELinux on the Openstack Identity server. To enable and
make the option persistent across reboots:</para> make the option persistent across reboots:</para>
<screen><prompt>#</prompt> <userinput>setsebool -P authlogin_nsswitch_use_ldap</userinput></screen> <screen><prompt>#</prompt> <userinput>setsebool -P authlogin_nsswitch_use_ldap</userinput></screen>
</important> </important>
<para>Identity configuration is split into two separate back ends: identity
(back end for users and groups) and assignments (back end for domains,
projects, roles, role assignments). To configure identity, set options in the
<filename>/etc/keystone/keystone.conf</filename> file.
See <xref linkend="configuring-keystone-for-ldap-backend-identity"/>
for identity back end configuration examples and
<xref linkend="configuring-keystone-for-ldap-backend-assignments"/>
for assignment back end configuration examples.
Modify these examples as needed.</para>
<note> <note>
<para>You can integrate Identity with a single LDAP <para>Multiple back ends are supported. You can integrate the Openstack Identity service
server, or multiple back ends using domain-specific configuration files.</para> with a single LDAP server (configure both identity and assignments to
LDAP, or set identity and assignments back end with SQL or LDAP),
or multiple back ends using domain-specific configuration files.</para>
</note> </note>
<procedure> <formalpara>
<title>To integrate Identity with a LDAP server</title> <title>To define the destination LDAP server</title>
<step>
<para>Enable the LDAP driver in the
<filename>/etc/keystone/keystone.conf</filename> file:</para>
<programlisting language="ini">[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step>
<para>Define the destination LDAP server in the
<filename>/etc/keystone/keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False</programlisting>
</step>
<step>
<para>Create the organizational units (OU) in the LDAP
directory, and define their corresponding location in
the <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap]
user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson
tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames
role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole</programlisting>
<note>
<para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the
<systemitem>person</systemitem> attribute in
Active Directory:</para>
<programlisting language="ini">user_objectclass = person</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure>
<procedure>
<title>To integrate Identity with multiple back ends</title>
<step>
<para>Set the following options in the
<filename>/etc/keystone/keystone.conf</filename> file:</para>
<substeps>
<step>
<para>Enable the LDAP driver:</para>
<programlisting language="ini">[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step>
<para>Enable domain-specific drivers:</para>
<programlisting language="ini">[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains</programlisting>
</step>
</substeps>
</step>
<step>
<para>Restart the service:</para>
<screen><prompt>#</prompt> service keystone restart</screen>
</step>
<step>
<para>List the domains using the dashboard, or the OpenStackClient
CLI. Refer to the <link xlink:href="http://docs.openstack.org/developer/python-openstackclient/command-list.html">Command List</link>
for a list of OpenStackClient commands.</para>
</step>
<step>
<para>Create domains using OpenStack dashboard, or the
OpenStackClient CLI.</para>
</step>
<step>
<para>For each domain, create a domain-specific configuration
file in the <filename>/etc/keystone/domains</filename> directory.
Use the file naming convention <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>,
where <replaceable>DOMAIN_NAME</replaceable>
is the domain name assigned in the previous step.</para>
<note><para>The options set in the
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file will override options in the <filename>/etc/keystone/keystone.conf</filename>
file.</para></note>
</step>
<step>
<para>Define the destination LDAP server in the <para>Define the destination LDAP server in the
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename> file. For example:</para> <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap] </formalpara>
<programlisting language="ini">[ldap]
url = ldap://localhost url = ldap://localhost
user = dc=Manager,dc=example,dc=org user = dc=Manager,dc=example,dc=org
password = samplepassword password = samplepassword
suffix = dc=example,dc=org suffix = dc=example,dc=org
use_dumb_member = False use_dumb_member = False
allow_subtree_delete = False</programlisting> allow_subtree_delete = False</programlisting>
</step> <note>
<step> <para>Configure <option>dumb_member</option> if you set <option>use_dumb_member</option> to true.</para>
<para>Create the organizational units (OU) in the LDAP
directory, and define their corresponding location in
the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file. For example:</para>
<programlisting language="ini">[ldap] <programlisting language="ini">[ldap]
user_tree_dn = ou=Users,dc=example,dc=org dumb_member = cn=dumb,dc=nonexistent</programlisting>
user_objectclass = inetOrgPerson </note>
tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames
role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole</programlisting>
<note>
<para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the <systemitem>person</systemitem>
attribute in Active Directory:</para>
<programlisting language="ini">user_objectclass = person</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure>
<formalpara> <formalpara>
<title>Additional LDAP integration settings</title> <title>Additional LDAP integration settings</title>
<para>Set these options in the <para>Set these options in the
@ -197,34 +67,71 @@ role_allow_delete = False</programlisting>
</formalpara> </formalpara>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Filters</term> <term>Query option</term>
<listitem> <listitem>
<para>Use filters to control the scope of data <para>Use <option>query_scope</option>
presented through LDAP.</para> to control the scope level of data
presented (search only the first level or search an entire
sub-tree) through LDAP.</para>
<para>Use <option>page_size</option> to control the maximum
results per page. A value of zero disables paging.</para>
<para>Use <option>alias_dereferencing</option> to control
the LDAP dereferencing option for queries.</para>
<para>Use <option>chase_referrals</option> to override the
system's default referral chasing behavior for queries.</para>
<programlisting language="ini">[ldap] <programlisting language="ini">[ldap]
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org) query_scope = sub
tenant_filter = page_size = 0
role_filter =</programlisting> alias_dereferencing = default
chase_referrals = </programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>LDAP Account Status</term> <term>Debug</term>
<listitem> <listitem>
<para>Mask account status values for compatibility <para>Use <option>debug_level</option> to set
with various directory services. Superfluous the LDAP debugging level for LDAP calls. A value of zero means that
accounts are filtered with debugging is not enabled.</para>
<systemitem>user_filter</systemitem>.</para>
<para>For example, you can mask Active Directory
account status attributes in the
<filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap] <programlisting language="ini">[ldap]
user_enabled_attribute = userAccountControl debug_level = 0</programlisting>
user_enabled_mask = 2 <warning><para>This value is a bitmask, consult your LDAP
user_enabled_default = 512</programlisting> documentation for possible values.</para></warning>
</listitem>
</varlistentry>
<varlistentry>
<term>Connection pooling</term>
<listitem>
<para>Use <option>use_pool</option> to enable LDAP connection
pooling. Configure connection pool size, maximum retry,
reconnect trials, timeout (-1 indicates indefinite
wait) and lifetime in seconds.</para>
<programlisting language="ini">[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Connection pooling for end user authentication</term>
<listitem>
<para>Use <option>use_auth_pool</option> to enable LDAP
connection pooling for end user authentication.
Configure connection pool size and lifetime in seconds.</para>
<programlisting language="ini">[ldap]
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>When you have finished configuration, restart the Openstack Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
<xi:include href="section_keystone_config_ldap-identity.xml"/>
<xi:include href="section_keystone_config_ldap-assignments.xml"/> <xi:include href="section_keystone_config_ldap-assignments.xml"/>
<xi:include href="section_keystone_config_ldap-hardening.xml"/> <xi:include href="section_keystone_config_ldap-hardening.xml"/>
</section> </section>