openstack/openstack-manuals
Code Issues Proposed changes
e0cf7852ba
openstack-manuals/doc/common/section_keystone_config_ldap-assignments.xml
Rico Lin 7bdc679023 Improvement for Integrate Identity with LDAP 
This fix imporve Integrate Identity with LDAP section in OpenStack Cloud
Administrator Guide - current. Update more additionnal configuration attributes
that can be used. Seprate basic LDAP configuration, Identity backend
configuration and Assignment backend configuration into three different
categories. Categorize configuration options by it's character.

Change-Id: I5640e9690aed962210582684e85d4e172bd265ff
Closes-bug: #1368082
2015-03-03 19:50:41 +01:00

141 lines
6.0 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="configuring-keystone-for-ldap-backend-assignments">
<title>Integrate assignment back end with LDAP</title>
<para>When you configure the OpenStack Identity service to use LDAP
servers, you can split authentication and authorization using the
<emphasis>assignment</emphasis> feature. Integrating the
assignment back end with LDAP allows administrators to use
projects (tenant), roles, domains, and role assignments
in LDAP.</para>
<note>
<para>Using LDAP as an assignment back end is not recommended.</para>
</note>
<note>
<para>The OpenStack Identity service does not support domain-specific
assignment back ends.</para>
</note>
<important>
<para>For OpenStack Identity assignments to access LDAP servers, you
must define the destination LDAP server in
the <filename>keystone.conf</filename> file. For more information,
see <xref linkend="configuring-keystone-for-ldap-backend"/>.</para>
</important>
<procedure>
<title>Integrating assignment back ends with LDAP</title>
<step>
<para>Enable the assignment driver. In the
<literal>[assignment]</literal> section, set the
<literal>driver</literal> configuration key to
<literal>keystone.assignment.backends.sql.Assignment</literal>:</para>
<programlisting language="ini">[assignment]
#driver = keystone.assignment.backends.sql.Assignment
driver = keystone.assignment.backends.ldap.Assignment</programlisting>
</step>
<step>
<para>Create the organizational units (OU) in the LDAP
directory, and define their corresponding location in
the <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap]
role_tree_dn =
role_objectclass = inetOrgPerson
project_tree_dn = ou=Groups,dc=example,dc=org
project_objectclass = groupOfNames</programlisting>
<note>
<para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the
<systemitem>groupOfNames</systemitem> attribute in
Active Directory:</para>
<programlisting language="ini">project_objectclass = groupOfNames</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
role_allow_create = False
role_allow_update = False
role_allow_delete = False
project_allow_create = False
project_allow_update = False
project_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the OpenStack Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure>
<formalpara>
<title>Additional LDAP integration settings</title>
<para>Set these options in the
<filename>/etc/keystone/keystone.conf</filename>
file for a single LDAP server, or
<filename>/etc/keystone/domains/keystone.
<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
files for multiple back ends.</para>
</formalpara>
<variablelist>
<varlistentry>
<term>Filters</term>
<listitem>
<para>Use filters to control the scope of data
presented through LDAP.</para>
<programlisting language="ini">[ldap]
project_filter = (member=cn=openstack-user,ou=workgroups,dc=example,dc=org)
role_filter = </programlisting>
<warning><para>Filtering method</para></warning>
</listitem>
</varlistentry>
<varlistentry>
<term>Assignment attribute mapping</term>
<listitem>
<para>Mask account status values (include any additional
attribute mappings) for compatibility with various
directory services. Superfluous accounts are filtered with
<systemitem>user_filter</systemitem>.</para>
<para>Setting attribute ignore to list of attributes
stripped off on update.</para>
<programlisting language="ini">[ldap]
role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_additional_attribute_mapping =
role_attribute_ignore =
project_id_attribute = cn
project_name_attribute = ou
project_member_attribute = member
project_desc_attribute = description
project_enabled_attribute = enabled
project_domain_id_attribute = businessCategory
project_additional_attribute_mapping =
project_attribute_ignore =</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Enabled emulation</term>
<listitem>
<para>An alternative method to determine if a project is
enabled or not is to check if that project is a
member of the emulation group.</para>
<para>Use DN of the group entry to hold enabled
projects when using enabled emulation.</para>
<programlisting language="ini">[ldap]
project_enabled_emulation = false
project_enabled_emulation_dn = false</programlisting>
</listitem>
</varlistentry>
</variablelist>
</section>
View Git Blame Copy Permalink