Integrate Identity with LDAP

Integrate Identity with LDAP Identity Service supports integration with an existing LDAP directory for authentication and authorization services. For OpenStack Identity to access an LDAP back end, you must enable the boolean value for SELinux on the Identity server. To enable and make the option persistent across reboots: # setsebool -P authlogin_nsswitch_use_ldap You can integrate Identity with a single LDAP server. To configure Identity, set options in the /etc/keystone/keystone.conf file. Modify these examples as needed. To integrate Identity with LDAP Enable the LDAP driver in the keystone.conf file: [identity] #driver = keystone.identity.backends.sql.Identity driver = keystone.identity.backends.ldap.Identity Define the destination LDAP server in the keystone.conf file: [ldap] url = ldap://localhost user = dc=Manager,dc=example,dc=org password = samplepassword suffix = dc=example,dc=org use_dumb_member = False allow_subtree_delete = False Create the organizational units (OU) in the LDAP directory, and define their corresponding location in the keystone.conf file: [ldap] user_tree_dn = ou=Users,dc=example,dc=org user_objectclass = inetOrgPerson tenant_tree_dn = ou=Groups,dc=example,dc=org tenant_objectclass = groupOfNames role_tree_dn = ou=Roles,dc=example,dc=org role_objectclass = organizationalRole These schema attributes are extensible for compatibility with various schemas. For example, this entry maps to the person attribute in Active Directory: user_objectclass = person A read-only implementation is recommended for LDAP integration. These permissions are applied to object types in the keystone.conf file: [ldap] user_allow_create = False user_allow_update = False user_allow_delete = False tenant_allow_create = False tenant_allow_update = False tenant_allow_delete = False role_allow_create = False role_allow_update = False role_allow_delete = False Restart the Identity service: # service keystone restart During service restart, authentication and authorization are unavailable. Additional LDAP integration settings Set these options in the keystone.conf file. Filters Use filters to control the scope of data presented through LDAP. [ldap] user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org) tenant_filter = role_filter = LDAP Account Status Mask account status values for compatibility with various directory services. Superfluous accounts are filtered with user_filter. For example, you can mask Active Directory account status attributes in the keystone.conf file: [ldap] user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512