7bdc679023
This fix imporve Integrate Identity with LDAP section in OpenStack Cloud Administrator Guide - current. Update more additionnal configuration attributes that can be used. Seprate basic LDAP configuration, Identity backend configuration and Assignment backend configuration into three different categories. Categorize configuration options by it's character. Change-Id: I5640e9690aed962210582684e85d4e172bd265ff Closes-bug: #1368082
233 lines
9.8 KiB
XML
233 lines
9.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="configuring-keystone-for-ldap-backend-identity">
|
|
|
|
<title>Integrate identity back end with LDAP</title>
|
|
<para>The identity back end contains information for users, groups, and
|
|
group member lists. Integrating the identity back end with LDAP allows
|
|
administrators to use users and groups in LDAP.</para>
|
|
<important>
|
|
<para>For OpenStack Identity Service to access LDAP servers, you must
|
|
define the destination LDAP server in the
|
|
<filename>keystone.conf</filename> file. For more information, see
|
|
<xref linkend="configuring-keystone-for-ldap-backend"/>.</para>
|
|
</important>
|
|
<procedure>
|
|
<title>Integrating an identity back end with LDAP</title>
|
|
<step>
|
|
<para>Enable the LDAP identity driver in the
|
|
<filename>keystone.conf</filename> file. This allows LDAP as
|
|
an identity back end:</para>
|
|
<programlisting language="ini">[identity]
|
|
#driver = keystone.identity.backends.sql.Identity
|
|
driver = keystone.identity.backends.ldap.Identity</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create the organizational units (OU) in the LDAP
|
|
directory, and define the corresponding location in
|
|
the <filename>keystone.conf</filename> file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_tree_dn = ou=Users,dc=example,dc=org
|
|
user_objectclass = inetOrgPerson
|
|
|
|
group_tree_dn = ou=Groups,dc=example,dc=org
|
|
group_objectclass = groupOfNames</programlisting>
|
|
<note>
|
|
<para>These schema attributes are extensible for
|
|
compatibility with various schemas. For example,
|
|
this entry maps to the
|
|
<systemitem>person</systemitem> attribute in
|
|
Active Directory:</para>
|
|
<programlisting language="ini">user_objectclass = person</programlisting>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>A read-only implementation is recommended for LDAP
|
|
integration. These permissions are applied to object
|
|
types in the <filename>keystone.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_allow_create = False
|
|
user_allow_update = False
|
|
user_allow_delete = False
|
|
|
|
group_allow_create = False
|
|
group_allow_update = False
|
|
group_allow_delete = False</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart the OpenStack Identity service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
|
|
<warning><para>During service restart, authentication and
|
|
authorization are unavailable.</para></warning>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Integrating identity with multiple back ends</title>
|
|
<step>
|
|
<para>Set the following options in the
|
|
<filename>/etc/keystone/keystone.conf</filename> file:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Enable the LDAP driver:</para>
|
|
<programlisting language="ini">[identity]
|
|
#driver = keystone.identity.backends.sql.Identity
|
|
driver = keystone.identity.backends.ldap.Identity</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Enable domain-specific drivers:</para>
|
|
<programlisting language="ini">[identity]
|
|
domain_specific_drivers_enabled = True
|
|
domain_config_dir = /etc/keystone/domains</programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Restart the service:</para>
|
|
<screen><prompt>#</prompt> service keystone restart</screen>
|
|
</step>
|
|
<step>
|
|
<para>List the domains using the dashboard, or the OpenStackClient
|
|
CLI. Refer to the <link xlink:href="http://docs.openstack.org/developer/python-openstackclient/command-list.html">Command List</link>
|
|
for a list of OpenStackClient commands.</para>
|
|
</step>
|
|
<step>
|
|
<para>Create domains using OpenStack dashboard, or the
|
|
OpenStackClient CLI.</para>
|
|
</step>
|
|
<step>
|
|
<para>For each domain, create a domain-specific configuration
|
|
file in the <filename>/etc/keystone/domains</filename> directory.
|
|
Use the file naming convention <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>,
|
|
where <replaceable>DOMAIN_NAME</replaceable>
|
|
is the domain name assigned in the previous step.</para>
|
|
<note><para>The options set in the
|
|
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
|
|
file will override options in the <filename>/etc/keystone/keystone.conf</filename>
|
|
file.</para></note>
|
|
</step>
|
|
<step>
|
|
<para>Define the destination LDAP server in the
|
|
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename> file. For example:</para>
|
|
<programlisting language="ini">[ldap]
|
|
url = ldap://localhost
|
|
user = dc=Manager,dc=example,dc=org
|
|
password = samplepassword
|
|
suffix = dc=example,dc=org
|
|
use_dumb_member = False
|
|
allow_subtree_delete = False</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create the organizational units (OU) in the LDAP
|
|
directories, and define their corresponding locations in
|
|
the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
|
|
file. For example:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_tree_dn = ou=Users,dc=example,dc=org
|
|
user_objectclass = inetOrgPerson
|
|
|
|
group_tree_dn = ou=Groups,dc=example,dc=org
|
|
group_objectclass = groupOfNames</programlisting>
|
|
<note>
|
|
<para>These schema attributes are extensible for
|
|
compatibility with various schemas. For example,
|
|
this entry maps to the <systemitem>person</systemitem>
|
|
attribute in Active Directory:</para>
|
|
<programlisting language="ini">user_objectclass = person</programlisting>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>A read-only implementation is recommended for LDAP
|
|
integration. These permissions are applied to object
|
|
types in the <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_allow_create = False
|
|
user_allow_update = False
|
|
user_allow_delete = False
|
|
|
|
group_allow_create = False
|
|
group_allow_update = False
|
|
group_allow_delete = False</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart the OpenStack Identity service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
|
|
<warning><para>During service restart, authentication and
|
|
authorization are unavailable.</para></warning>
|
|
</step>
|
|
</procedure>
|
|
<formalpara>
|
|
<title>Additional LDAP integration settings</title>
|
|
<para>Set these options in the
|
|
<filename>/etc/keystone/keystone.conf</filename>
|
|
file for a single LDAP server, or
|
|
<filename>/etc/keystone/domains/keystone.
|
|
<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
|
|
files for multiple back ends.</para>
|
|
</formalpara>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Filters</term>
|
|
<listitem>
|
|
<para>Use filters to control the scope of data
|
|
presented through LDAP.</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
|
|
group_filter = </programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Identity attribute mapping</term>
|
|
<listitem>
|
|
<para>Mask account status values (include any additional
|
|
attribute mappings) for compatibility
|
|
with various directory services. Superfluous
|
|
accounts are filtered with
|
|
<systemitem>user_filter</systemitem>.</para>
|
|
<para>Setting attribute ignore to list of attributes
|
|
stripped off on update.</para>
|
|
<para>For example, you can mask Active Directory
|
|
account status attributes in the
|
|
<filename>keystone.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_id_attribute = cn
|
|
user_name_attribute = sn
|
|
user_mail_attribute = mail
|
|
user_pass_attribute = userPassword
|
|
user_enabled_attribute = userAccountControl
|
|
user_enabled_mask = 2
|
|
user_enabled_invert = false
|
|
user_enabled_default = 51
|
|
user_default_project_id_attribute =
|
|
user_attribute_ignore = default_project_id,tenants
|
|
user_additional_attribute_mapping =
|
|
|
|
group_id_attribute = cn
|
|
group_name_attribute = ou
|
|
group_member_attribute = member
|
|
group_desc_attribute = description
|
|
group_attribute_ignore =
|
|
group_additional_attribute_mapping =</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>Enabled emulation</term>
|
|
<listitem>
|
|
<para>An alternative method to determine if a user is
|
|
enabled or not is by checking if that user is a
|
|
member of the emulation group.</para>
|
|
<para>Use DN of the group entry to hold enabled
|
|
user when using enabled emulation.</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_enabled_emulation = false
|
|
user_enabled_emulation_dn = false</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|