.. _integrate-assignment-backend-ldap: ======================================= Integrate assignment back end with LDAP ======================================= When you configure the OpenStack Identity service to use LDAP servers, you can split authentication and authorization using the *assignment* feature. Integrating the *assignment* back end with LDAP allows administrators to use projects (tenant), roles, domains, and role assignments in LDAP. .. note:: Be aware of domain-specific back end limitations when configuring OpenStack Identity. The OpenStack Identity service does not support domain-specific assignment back ends. Using LDAP as an assignment back end is not recommended. .. important:: For OpenStack Identity assignments to access LDAP servers, you must define the destination LDAP server in the ``keystone.conf`` file. For more information, see :ref:`integrate-identity-with-ldap`. **To integrate assignment back ends with LDAP** #. Enable the assignment driver. In the ``[assignment]`` section, set the ``driver`` configuration key to ``keystone.assignment.backends.sql.Assignment``: .. code-block:: ini [assignment] #driver = keystone.assignment.backends.sql.Assignment driver = keystone.assignment.backends.ldap.Assignment #. Create the organizational units (OU) in the LDAP directory, and define their corresponding location in the ``keystone.conf`` file: .. code-block:: ini [ldap] role_tree_dn = role_objectclass = inetOrgPerson project_tree_dn = ou=Groups,dc=example,dc=org project_objectclass = groupOfNames .. note:: These schema attributes are extensible for compatibility with various schemas. For example, this entry maps to the groupOfNames attribute in Active Directory: .. code-block:: ini project_objectclass = groupOfNames #. A read-only implementation is recommended for LDAP integration. These permissions are applied to object types in the ``keystone.conf`` file: .. code-block:: ini [ldap] role_allow_create = False role_allow_update = False role_allow_delete = False project_allow_create = False project_allow_update = False project_allow_delete = False #. Restart the OpenStack Identity service. .. warning:: During service restart, authentication and authorization are unavailable. **Additional LDAP integration settings.** Set these options in the ``/etc/keystone/keystone.conf`` file for a single LDAP server, or ``/etc/keystone/domains/keystone.DOMAIN_NAME.conf`` files for multiple back ends. Filters Use filters to control the scope of data presented through LDAP. .. code-block:: ini [ldap] project_filter = (member=cn=openstack-user,ou=workgroups, dc=example,dc=org) role_filter = .. warning:: Filtering method Assignment attribute mapping Mask account status values (include any additional attribute mappings) for compatibility with various directory services. Superfluous accounts are filtered with user\_filter. Setting attribute ignore to list of attributes stripped off on update. .. code-block:: ini [ldap] role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_additional_attribute_mapping = role_attribute_ignore = project_id_attribute = cn project_name_attribute = ou project_member_attribute = member project_desc_attribute = description project_enabled_attribute = enabled project_domain_id_attribute = businessCategory project_additional_attribute_mapping = project_attribute_ignore = Enabled emulation An alternative method to determine if a project is enabled or not is to check if that project is a member of the emulation group. Use DN of the group entry to hold enabled projects when using enabled emulation. .. code-block:: ini [ldap] project_enabled_emulation = false project_enabled_emulation_dn = false