Merge "Rework Identity LDAP structure"
This commit is contained in:
commit
ec5e01db50
|
@ -12,7 +12,7 @@ administrators to use users and groups in LDAP.
|
||||||
|
|
||||||
For OpenStack Identity service to access LDAP servers, you must
|
For OpenStack Identity service to access LDAP servers, you must
|
||||||
define the destination LDAP server in the ``keystone.conf`` file.
|
define the destination LDAP server in the ``keystone.conf`` file.
|
||||||
For more information, see :ref:`integrate-identity-with-ldap`.
|
For more information, see :ref:`identity_ldap_server_setup`.
|
||||||
|
|
||||||
**To integrate one Identity back end with LDAP**
|
**To integrate one Identity back end with LDAP**
|
||||||
|
|
||||||
|
|
|
@ -21,121 +21,10 @@ The *assignment* feature enables administrators to manage project role
|
||||||
authorization using the OpenStack Identity service SQL database, while
|
authorization using the OpenStack Identity service SQL database, while
|
||||||
providing user authentication through the LDAP directory.
|
providing user authentication through the LDAP directory.
|
||||||
|
|
||||||
.. important::
|
|
||||||
|
|
||||||
For the OpenStack Identity service to access LDAP servers, you must
|
|
||||||
enable the ``authlogin_nsswitch_use_ldap`` boolean value for SELinux
|
|
||||||
on the server running the OpenStack Identity service. To enable and
|
|
||||||
make the option persistent across reboots, set the following boolean
|
|
||||||
value as the root user:
|
|
||||||
|
|
||||||
.. code-block:: console
|
|
||||||
|
|
||||||
# setsebool -P authlogin_nsswitch_use_ldap on
|
|
||||||
|
|
||||||
The Identity configuration is split into two separate back ends; identity
|
|
||||||
(back end for users and groups), and assignments (back end for domains,
|
|
||||||
projects, roles, role assignments). To configure Identity, set options
|
|
||||||
in the ``/etc/keystone/keystone.conf`` file. See
|
|
||||||
:ref:`integrate-identity-backend-ldap` for Identity back end configuration
|
|
||||||
examples. Modify these examples as needed.
|
|
||||||
|
|
||||||
**To define the destination LDAP server**
|
|
||||||
|
|
||||||
#. Define the destination LDAP server in the ``keystone.conf`` file:
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[ldap]
|
|
||||||
url = ldap://localhost
|
|
||||||
user = dc=Manager,dc=example,dc=org
|
|
||||||
password = samplepassword
|
|
||||||
suffix = dc=example,dc=org
|
|
||||||
|
|
||||||
**Additional LDAP integration settings**
|
|
||||||
|
|
||||||
Set these options in the ``/etc/keystone/keystone.conf`` file for a
|
|
||||||
single LDAP server, or ``/etc/keystone/domains/keystone.DOMAIN_NAME.conf``
|
|
||||||
files for multiple back ends. Example configurations appear below each
|
|
||||||
setting summary:
|
|
||||||
|
|
||||||
**Query option**
|
|
||||||
|
|
||||||
.. hlist::
|
|
||||||
:columns: 1
|
|
||||||
|
|
||||||
* Use ``query_scope`` to control the scope level of data presented
|
|
||||||
(search only the first level or search an entire sub-tree)
|
|
||||||
through LDAP.
|
|
||||||
* Use ``page_size`` to control the maximum results per page. A value
|
|
||||||
of zero disables paging.
|
|
||||||
* Use ``alias_dereferencing`` to control the LDAP dereferencing
|
|
||||||
option for queries.
|
|
||||||
* Use ``chase_referrals`` to override the system's default referral
|
|
||||||
chasing behavior for queries.
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[ldap]
|
|
||||||
query_scope = sub
|
|
||||||
page_size = 0
|
|
||||||
alias_dereferencing = default
|
|
||||||
chase_referrals =
|
|
||||||
|
|
||||||
**Debug**
|
|
||||||
|
|
||||||
Use ``debug_level`` to set the LDAP debugging level for LDAP calls.
|
|
||||||
A value of zero means that debugging is not enabled.
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[ldap]
|
|
||||||
debug_level = 0
|
|
||||||
|
|
||||||
.. warning::
|
|
||||||
|
|
||||||
This value is a bitmask, consult your LDAP documentation for
|
|
||||||
possible values.
|
|
||||||
|
|
||||||
**Connection pooling**
|
|
||||||
|
|
||||||
Use ``use_pool`` to enable LDAP connection pooling. Configure the
|
|
||||||
connection pool size, maximum retry, reconnect trials, timeout (-1
|
|
||||||
indicates indefinite wait) and lifetime in seconds.
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[ldap]
|
|
||||||
use_pool = true
|
|
||||||
pool_size = 10
|
|
||||||
pool_retry_max = 3
|
|
||||||
pool_retry_delay = 0.1
|
|
||||||
pool_connection_timeout = -1
|
|
||||||
pool_connection_lifetime = 600
|
|
||||||
|
|
||||||
**Connection pooling for end user authentication**
|
|
||||||
|
|
||||||
Use ``use_auth_pool`` to enable LDAP connection pooling for end user
|
|
||||||
authentication. Configure the connection pool size and lifetime in
|
|
||||||
seconds.
|
|
||||||
|
|
||||||
.. code-block:: ini
|
|
||||||
|
|
||||||
[ldap]
|
|
||||||
use_auth_pool = false
|
|
||||||
auth_pool_size = 100
|
|
||||||
auth_pool_connection_lifetime = 60
|
|
||||||
|
|
||||||
When you have finished the configuration, restart the OpenStack Identity
|
|
||||||
service.
|
|
||||||
|
|
||||||
.. warning::
|
|
||||||
|
|
||||||
During the service restart, authentication and authorization are
|
|
||||||
unavailable.
|
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 2
|
:maxdepth: 2
|
||||||
|
|
||||||
|
identity-ldap-server.rst
|
||||||
identity-integrate-identity-backend-ldap.rst
|
identity-integrate-identity-backend-ldap.rst
|
||||||
identity-secure-identity-to-ldap-backend.rst
|
identity-secure-ldap-backend.rst
|
||||||
|
|
|
@ -0,0 +1,119 @@
|
||||||
|
.. _identity_ldap_server_setup:
|
||||||
|
|
||||||
|
===========================
|
||||||
|
Identity LDAP server set up
|
||||||
|
===========================
|
||||||
|
|
||||||
|
.. important::
|
||||||
|
|
||||||
|
For the OpenStack Identity service to access LDAP servers, you must
|
||||||
|
enable the ``authlogin_nsswitch_use_ldap`` boolean value for SELinux
|
||||||
|
on the server running the OpenStack Identity service. To enable and
|
||||||
|
make the option persistent across reboots, set the following boolean
|
||||||
|
value as the root user:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
# setsebool -P authlogin_nsswitch_use_ldap on
|
||||||
|
|
||||||
|
The Identity configuration is split into two separate back ends; identity
|
||||||
|
(back end for users and groups), and assignments (back end for domains,
|
||||||
|
projects, roles, role assignments). To configure Identity, set options
|
||||||
|
in the ``/etc/keystone/keystone.conf`` file. See
|
||||||
|
:ref:`integrate-identity-backend-ldap` for Identity back end configuration
|
||||||
|
examples. Modify these examples as needed.
|
||||||
|
|
||||||
|
**To define the destination LDAP server**
|
||||||
|
|
||||||
|
#. Define the destination LDAP server in the ``keystone.conf`` file:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[ldap]
|
||||||
|
url = ldap://localhost
|
||||||
|
user = dc=Manager,dc=example,dc=org
|
||||||
|
password = samplepassword
|
||||||
|
suffix = dc=example,dc=org
|
||||||
|
|
||||||
|
**Additional LDAP integration settings**
|
||||||
|
|
||||||
|
Set these options in the ``/etc/keystone/keystone.conf`` file for a
|
||||||
|
single LDAP server, or ``/etc/keystone/domains/keystone.DOMAIN_NAME.conf``
|
||||||
|
files for multiple back ends. Example configurations appear below each
|
||||||
|
setting summary:
|
||||||
|
|
||||||
|
**Query option**
|
||||||
|
|
||||||
|
.. hlist::
|
||||||
|
:columns: 1
|
||||||
|
|
||||||
|
* Use ``query_scope`` to control the scope level of data presented
|
||||||
|
(search only the first level or search an entire sub-tree)
|
||||||
|
through LDAP.
|
||||||
|
* Use ``page_size`` to control the maximum results per page. A value
|
||||||
|
of zero disables paging.
|
||||||
|
* Use ``alias_dereferencing`` to control the LDAP dereferencing
|
||||||
|
option for queries.
|
||||||
|
* Use ``chase_referrals`` to override the system's default referral
|
||||||
|
chasing behavior for queries.
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[ldap]
|
||||||
|
query_scope = sub
|
||||||
|
page_size = 0
|
||||||
|
alias_dereferencing = default
|
||||||
|
chase_referrals =
|
||||||
|
|
||||||
|
**Debug**
|
||||||
|
|
||||||
|
Use ``debug_level`` to set the LDAP debugging level for LDAP calls.
|
||||||
|
A value of zero means that debugging is not enabled.
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[ldap]
|
||||||
|
debug_level = 0
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
This value is a bitmask, consult your LDAP documentation for
|
||||||
|
possible values.
|
||||||
|
|
||||||
|
**Connection pooling**
|
||||||
|
|
||||||
|
Use ``use_pool`` to enable LDAP connection pooling. Configure the
|
||||||
|
connection pool size, maximum retry, reconnect trials, timeout (-1
|
||||||
|
indicates indefinite wait) and lifetime in seconds.
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[ldap]
|
||||||
|
use_pool = true
|
||||||
|
pool_size = 10
|
||||||
|
pool_retry_max = 3
|
||||||
|
pool_retry_delay = 0.1
|
||||||
|
pool_connection_timeout = -1
|
||||||
|
pool_connection_lifetime = 600
|
||||||
|
|
||||||
|
**Connection pooling for end user authentication**
|
||||||
|
|
||||||
|
Use ``use_auth_pool`` to enable LDAP connection pooling for end user
|
||||||
|
authentication. Configure the connection pool size and lifetime in
|
||||||
|
seconds.
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[ldap]
|
||||||
|
use_auth_pool = false
|
||||||
|
auth_pool_size = 100
|
||||||
|
auth_pool_connection_lifetime = 60
|
||||||
|
|
||||||
|
When you have finished the configuration, restart the OpenStack Identity
|
||||||
|
service.
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
During the service restart, authentication and authorization are
|
||||||
|
unavailable.
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
|
====================================================================
|
||||||
Secure the OpenStack Identity service connection to an LDAP back end
|
Secure the OpenStack Identity service connection to an LDAP back end
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
====================================================================
|
||||||
|
|
||||||
The Identity service supports the use of TLS to encrypt LDAP traffic.
|
The Identity service supports the use of TLS to encrypt LDAP traffic.
|
||||||
Before configuring this, you must first verify where your certificate
|
Before configuring this, you must first verify where your certificate
|
|
@ -238,7 +238,7 @@ redirect 301 /admin-guide/keystone_external_authentication.html /admin-guide/ide
|
||||||
redirect 301 /admin-guide/keystone_fernet_token_faq.html /admin-guide/identity-fernet-token-faq.html
|
redirect 301 /admin-guide/keystone_fernet_token_faq.html /admin-guide/identity-fernet-token-faq.html
|
||||||
redirect 301 /admin-guide/keystone_integrate_identity_backend_ldap.html /admin-guide/identity-integrate-identity-backend-ldap.html
|
redirect 301 /admin-guide/keystone_integrate_identity_backend_ldap.html /admin-guide/identity-integrate-identity-backend-ldap.html
|
||||||
redirect 301 /admin-guide/keystone_integrate_with_ldap.html /admin-guide/identity-integrate-with-ldap.html
|
redirect 301 /admin-guide/keystone_integrate_with_ldap.html /admin-guide/identity-integrate-with-ldap.html
|
||||||
redirect 301 /admin-guide/keystone_secure_identity_to_ldap_backend.html /admin-guide/identity-secure-identity-to-ldap-backend.html
|
redirect 301 /admin-guide/keystone_secure_identity_to_ldap_backend.html /admin-guide/identity-secure-ldap-backend.html
|
||||||
redirect 301 /admin-guide/keystone_token-binding.html /admin-guide/identity-token-binding.html
|
redirect 301 /admin-guide/keystone_token-binding.html /admin-guide/identity-token-binding.html
|
||||||
redirect 301 /admin-guide/keystone_tokens.html /admin-guide/identity-tokens.html
|
redirect 301 /admin-guide/keystone_tokens.html /admin-guide/identity-tokens.html
|
||||||
redirect 301 /admin-guide/keystone_use_trusts.html /admin-guide/identity-use-trusts.html
|
redirect 301 /admin-guide/keystone_use_trusts.html /admin-guide/identity-use-trusts.html
|
||||||
|
@ -250,7 +250,7 @@ redirect 301 /admin-guide/keystone-external-authentication.html /admin-guide/ide
|
||||||
redirect 301 /admin-guide/keystone-fernet-token-faq.html /admin-guide/identity-fernet-token-faq.html
|
redirect 301 /admin-guide/keystone-fernet-token-faq.html /admin-guide/identity-fernet-token-faq.html
|
||||||
redirect 301 /admin-guide/keystone-integrate-identity-backend_ldap.html /admin-guide/identity-integrate-identity-backend-ldap.html
|
redirect 301 /admin-guide/keystone-integrate-identity-backend_ldap.html /admin-guide/identity-integrate-identity-backend-ldap.html
|
||||||
redirect 301 /admin-guide/keystone-integrate-with-ldap.html /admin-guide/identity-integrate-with-ldap.html
|
redirect 301 /admin-guide/keystone-integrate-with-ldap.html /admin-guide/identity-integrate-with-ldap.html
|
||||||
redirect 301 /admin-guide/keystone-secure-identity-to-ldap_backend.html /admin-guide/identity-secure-identity-to-ldap-backend.html
|
redirect 301 /admin-guide/keystone-secure-identity-to-ldap_backend.html /admin-guide/identity-secure-ldap-backend.html
|
||||||
redirect 301 /admin-guide/keystone-token-binding.html /admin-guide/identity-token-binding.html
|
redirect 301 /admin-guide/keystone-token-binding.html /admin-guide/identity-token-binding.html
|
||||||
redirect 301 /admin-guide/keystone-tokens.html /admin-guide/identity-tokens.html
|
redirect 301 /admin-guide/keystone-tokens.html /admin-guide/identity-tokens.html
|
||||||
redirect 301 /admin-guide/keystone-use-trusts.html /admin-guide/identity-use-trusts.html
|
redirect 301 /admin-guide/keystone-use-trusts.html /admin-guide/identity-use-trusts.html
|
||||||
|
|
Loading…
Reference in New Issue