diff --git a/doc/admin-guide/source/identity-integrate-identity-backend-ldap.rst b/doc/admin-guide/source/identity-integrate-identity-backend-ldap.rst index dae65a35c5..ca89f22cb1 100644 --- a/doc/admin-guide/source/identity-integrate-identity-backend-ldap.rst +++ b/doc/admin-guide/source/identity-integrate-identity-backend-ldap.rst @@ -12,7 +12,7 @@ administrators to use users and groups in LDAP. For OpenStack Identity service to access LDAP servers, you must define the destination LDAP server in the ``keystone.conf`` file. - For more information, see :ref:`integrate-identity-with-ldap`. + For more information, see :ref:`identity_ldap_server_setup`. **To integrate one Identity back end with LDAP** diff --git a/doc/admin-guide/source/identity-integrate-with-ldap.rst b/doc/admin-guide/source/identity-integrate-with-ldap.rst index 1c2feac925..23f974c941 100644 --- a/doc/admin-guide/source/identity-integrate-with-ldap.rst +++ b/doc/admin-guide/source/identity-integrate-with-ldap.rst @@ -21,121 +21,10 @@ The *assignment* feature enables administrators to manage project role authorization using the OpenStack Identity service SQL database, while providing user authentication through the LDAP directory. -.. important:: - - For the OpenStack Identity service to access LDAP servers, you must - enable the ``authlogin_nsswitch_use_ldap`` boolean value for SELinux - on the server running the OpenStack Identity service. To enable and - make the option persistent across reboots, set the following boolean - value as the root user: - -.. code-block:: console - - # setsebool -P authlogin_nsswitch_use_ldap on - -The Identity configuration is split into two separate back ends; identity -(back end for users and groups), and assignments (back end for domains, -projects, roles, role assignments). To configure Identity, set options -in the ``/etc/keystone/keystone.conf`` file. See -:ref:`integrate-identity-backend-ldap` for Identity back end configuration -examples. Modify these examples as needed. - -**To define the destination LDAP server** - -#. Define the destination LDAP server in the ``keystone.conf`` file: - - .. code-block:: ini - - [ldap] - url = ldap://localhost - user = dc=Manager,dc=example,dc=org - password = samplepassword - suffix = dc=example,dc=org - -**Additional LDAP integration settings** - -Set these options in the ``/etc/keystone/keystone.conf`` file for a -single LDAP server, or ``/etc/keystone/domains/keystone.DOMAIN_NAME.conf`` -files for multiple back ends. Example configurations appear below each -setting summary: - -**Query option** - -.. hlist:: - :columns: 1 - - * Use ``query_scope`` to control the scope level of data presented - (search only the first level or search an entire sub-tree) - through LDAP. - * Use ``page_size`` to control the maximum results per page. A value - of zero disables paging. - * Use ``alias_dereferencing`` to control the LDAP dereferencing - option for queries. - * Use ``chase_referrals`` to override the system's default referral - chasing behavior for queries. - -.. code-block:: ini - - [ldap] - query_scope = sub - page_size = 0 - alias_dereferencing = default - chase_referrals = - -**Debug** - -Use ``debug_level`` to set the LDAP debugging level for LDAP calls. -A value of zero means that debugging is not enabled. - -.. code-block:: ini - - [ldap] - debug_level = 0 - -.. warning:: - - This value is a bitmask, consult your LDAP documentation for - possible values. - -**Connection pooling** - -Use ``use_pool`` to enable LDAP connection pooling. Configure the -connection pool size, maximum retry, reconnect trials, timeout (-1 -indicates indefinite wait) and lifetime in seconds. - -.. code-block:: ini - - [ldap] - use_pool = true - pool_size = 10 - pool_retry_max = 3 - pool_retry_delay = 0.1 - pool_connection_timeout = -1 - pool_connection_lifetime = 600 - -**Connection pooling for end user authentication** - -Use ``use_auth_pool`` to enable LDAP connection pooling for end user -authentication. Configure the connection pool size and lifetime in -seconds. - -.. code-block:: ini - - [ldap] - use_auth_pool = false - auth_pool_size = 100 - auth_pool_connection_lifetime = 60 - -When you have finished the configuration, restart the OpenStack Identity -service. - -.. warning:: - - During the service restart, authentication and authorization are - unavailable. .. toctree:: :maxdepth: 2 + identity-ldap-server.rst identity-integrate-identity-backend-ldap.rst - identity-secure-identity-to-ldap-backend.rst + identity-secure-ldap-backend.rst diff --git a/doc/admin-guide/source/identity-ldap-server.rst b/doc/admin-guide/source/identity-ldap-server.rst new file mode 100644 index 0000000000..274d65f36e --- /dev/null +++ b/doc/admin-guide/source/identity-ldap-server.rst @@ -0,0 +1,119 @@ +.. _identity_ldap_server_setup: + +=========================== +Identity LDAP server set up +=========================== + +.. important:: + + For the OpenStack Identity service to access LDAP servers, you must + enable the ``authlogin_nsswitch_use_ldap`` boolean value for SELinux + on the server running the OpenStack Identity service. To enable and + make the option persistent across reboots, set the following boolean + value as the root user: + + .. code-block:: console + + # setsebool -P authlogin_nsswitch_use_ldap on + +The Identity configuration is split into two separate back ends; identity +(back end for users and groups), and assignments (back end for domains, +projects, roles, role assignments). To configure Identity, set options +in the ``/etc/keystone/keystone.conf`` file. See +:ref:`integrate-identity-backend-ldap` for Identity back end configuration +examples. Modify these examples as needed. + +**To define the destination LDAP server** + +#. Define the destination LDAP server in the ``keystone.conf`` file: + + .. code-block:: ini + + [ldap] + url = ldap://localhost + user = dc=Manager,dc=example,dc=org + password = samplepassword + suffix = dc=example,dc=org + +**Additional LDAP integration settings** + +Set these options in the ``/etc/keystone/keystone.conf`` file for a +single LDAP server, or ``/etc/keystone/domains/keystone.DOMAIN_NAME.conf`` +files for multiple back ends. Example configurations appear below each +setting summary: + +**Query option** + +.. hlist:: + :columns: 1 + + * Use ``query_scope`` to control the scope level of data presented + (search only the first level or search an entire sub-tree) + through LDAP. + * Use ``page_size`` to control the maximum results per page. A value + of zero disables paging. + * Use ``alias_dereferencing`` to control the LDAP dereferencing + option for queries. + * Use ``chase_referrals`` to override the system's default referral + chasing behavior for queries. + +.. code-block:: ini + + [ldap] + query_scope = sub + page_size = 0 + alias_dereferencing = default + chase_referrals = + +**Debug** + +Use ``debug_level`` to set the LDAP debugging level for LDAP calls. +A value of zero means that debugging is not enabled. + +.. code-block:: ini + + [ldap] + debug_level = 0 + +.. warning:: + + This value is a bitmask, consult your LDAP documentation for + possible values. + +**Connection pooling** + +Use ``use_pool`` to enable LDAP connection pooling. Configure the +connection pool size, maximum retry, reconnect trials, timeout (-1 +indicates indefinite wait) and lifetime in seconds. + +.. code-block:: ini + + [ldap] + use_pool = true + pool_size = 10 + pool_retry_max = 3 + pool_retry_delay = 0.1 + pool_connection_timeout = -1 + pool_connection_lifetime = 600 + +**Connection pooling for end user authentication** + +Use ``use_auth_pool`` to enable LDAP connection pooling for end user +authentication. Configure the connection pool size and lifetime in +seconds. + +.. code-block:: ini + + [ldap] + use_auth_pool = false + auth_pool_size = 100 + auth_pool_connection_lifetime = 60 + +When you have finished the configuration, restart the OpenStack Identity +service. + +.. warning:: + + During the service restart, authentication and authorization are + unavailable. + diff --git a/doc/admin-guide/source/identity-secure-identity-to-ldap-backend.rst b/doc/admin-guide/source/identity-secure-ldap-backend.rst similarity index 97% rename from doc/admin-guide/source/identity-secure-identity-to-ldap-backend.rst rename to doc/admin-guide/source/identity-secure-ldap-backend.rst index 14c4e15175..5b9d52b42d 100644 --- a/doc/admin-guide/source/identity-secure-identity-to-ldap-backend.rst +++ b/doc/admin-guide/source/identity-secure-ldap-backend.rst @@ -1,5 +1,6 @@ +==================================================================== Secure the OpenStack Identity service connection to an LDAP back end -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +==================================================================== The Identity service supports the use of TLS to encrypt LDAP traffic. Before configuring this, you must first verify where your certificate diff --git a/www/static/.htaccess b/www/static/.htaccess index cfe36cd258..90e100c1a2 100644 --- a/www/static/.htaccess +++ b/www/static/.htaccess @@ -238,7 +238,7 @@ redirect 301 /admin-guide/keystone_external_authentication.html /admin-guide/ide redirect 301 /admin-guide/keystone_fernet_token_faq.html /admin-guide/identity-fernet-token-faq.html redirect 301 /admin-guide/keystone_integrate_identity_backend_ldap.html /admin-guide/identity-integrate-identity-backend-ldap.html redirect 301 /admin-guide/keystone_integrate_with_ldap.html /admin-guide/identity-integrate-with-ldap.html -redirect 301 /admin-guide/keystone_secure_identity_to_ldap_backend.html /admin-guide/identity-secure-identity-to-ldap-backend.html +redirect 301 /admin-guide/keystone_secure_identity_to_ldap_backend.html /admin-guide/identity-secure-ldap-backend.html redirect 301 /admin-guide/keystone_token-binding.html /admin-guide/identity-token-binding.html redirect 301 /admin-guide/keystone_tokens.html /admin-guide/identity-tokens.html redirect 301 /admin-guide/keystone_use_trusts.html /admin-guide/identity-use-trusts.html @@ -250,7 +250,7 @@ redirect 301 /admin-guide/keystone-external-authentication.html /admin-guide/ide redirect 301 /admin-guide/keystone-fernet-token-faq.html /admin-guide/identity-fernet-token-faq.html redirect 301 /admin-guide/keystone-integrate-identity-backend_ldap.html /admin-guide/identity-integrate-identity-backend-ldap.html redirect 301 /admin-guide/keystone-integrate-with-ldap.html /admin-guide/identity-integrate-with-ldap.html -redirect 301 /admin-guide/keystone-secure-identity-to-ldap_backend.html /admin-guide/identity-secure-identity-to-ldap-backend.html +redirect 301 /admin-guide/keystone-secure-identity-to-ldap_backend.html /admin-guide/identity-secure-ldap-backend.html redirect 301 /admin-guide/keystone-token-binding.html /admin-guide/identity-token-binding.html redirect 301 /admin-guide/keystone-tokens.html /admin-guide/identity-tokens.html redirect 301 /admin-guide/keystone-use-trusts.html /admin-guide/identity-use-trusts.html