Keystone Integrated LDAP

Transfer from http://wsfdl.com/openstack/2016/01/13/Keystone%E9%9B%86%E6%88%90LDAP.html

Thanks to Keystone's excellent architecture, it allows Service to adapt to a variety of backend. Keystone currently has identity, Resource, Assigment, Token, Policy, Catatlog and other service, in the K version, Identity, Resource, assigment all support LD The AP acts as its backend, but since some properties in Resource and assigment are not well supported in LDAP, only idendity supports LDAP as backend after the M version. The example in this article also stores Identity data only in LDAP, and other Services ' data is still stored in SQL.

• Identity:user and Group
• Resource:project and Domain
• Assigment:role and Role assigment

The basic configuration is as follows:

• Linux:ubuntu 14.04 LTS
• Openstack:kilo
• LDAP:SLAPD 2.4.31

The DN of LDAP (distinguished Names) is generated by default by the host domain name, and the local DNS settings are as follows:

[email protected]:~# cat /etc/hosts10.10.1.100    keystone.com127.0.0.1   localhost

Install LDAP

sudo apt-get install slapd ldap-utils

After the installation is complete, you can complete the basic configuration of LDAP with the following commands and steps:

sudo dpkg-reconfigure slapd* Omit OpenLDAP server configuration? No* DNS domain name?  keystone.com* Organization name?  admin* Administrator password? YourPassword* Use the password you configured during installation, or choose another one  Database backend to use? HDB* Remove the database when slapd is purged? No* Move old database? Yes* Allow LDAPv2 protocol? No

Configure LDAP

Because LDAP user attributes and Keystone Default User attributes differ, LDAP needs to generate an object that matches the user and Group in Keystone, which can be added using the following script (ADD_USER_GROUP.LDIF) and generate a Dem O and admin two users.

# Usersdn: ou=users,dc=keystone,dc=comou: usersobjectClass: organizationalUnit# Groupdn: ou=groups,dc=keystone,dc=comobjectClass: organizationalUnitou: groups# demo userdn: cn=demo,ou=users,dc=keystone,dc=comcn: demodisplayName: demogivenName: demomail: [email protected]objectClass: inetOrgPersonobjectClass: topsn: demouid: demouserPassword: 123456# admin userdn: cn=admin,ou=users,dc=keystone,dc=comcn: admindisplayName: admingivenName: adminmail: [email protected]objectClass: inetOrgPersonobjectClass: topsn: adminuid: adminuserPassword: 123456

The above configuration file contents are updated to LDAP by the following command:

"cn=admin,dc=example,dc=com" -f add_user_group.ldif

The configuration file for the

Keystone is as follows:

[identity]driver = keystone.identity.backends.ldap.Identity[assignment]driver = keystone.assignment.backends.sql.Assignment[ldap]# LDAP 服务器地址，tree_dn 目录下管理员的账号和密码等url = ldap://keystone.com              query_scope = subuser = "cn=admin,dc=keystone,dc=com" password = 123456tree_dn = "dc=keystone,dc=com"# 以下配置定义 Keystone 和 LDAP 二者的属性的 mapping 关系。user_tree_dn = "ou=users,dc=keystone,dc=com"  user_objectclass = inetOrgPersonuser_id_attribute = cnuser_name_attribute = cnuser_mail_attribute = mailuser_pass_attribute = userPassworduser_enabled_attribute = enabledgroup_tree_dn = "ou=groups,dc=keystone,dc=com"group_objectclass = groupOfUniqueNamesgroup_id_attribute = cngroup_name_attribute = cngroup_member_attribute = uniquemembergroup_desc_attribute = descriptionuser_allow_create = trueuser_allow_update = trueuser_allow_delete = truegroup_allow_create = truegroup_allow_update = truegroup_allow_delete = true

Test

After you create project and role with Admin_token and give the demo and admin users a role in project, you can use that user to get the API for the scope token access Keystone.

[email protected]:~# OpenStack user list+--------------------+--------------------+| ID | Name |+--------------------+--------------------+| Demo | Demo | | admin | Admin |+--------------------+--------------------+[email protected]:~# openstack user show demo+-------- ---+------------------+| Field | Value |+-----------+------------------+| domain_id | Default | | email | [Email protected] | | ID | Demo | | name | Demo |+-----------+------------------+[email protected]:~# openstack user Create Hello--password 123456+ -----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | Default | | Enabled | True | | ID | Hello | | name |       Hello                     |+-----------+----------------------------------+[email protected]:~# OpenStack Project Create t est_project+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+|                                  Description | || domain_id | Default | | Enabled | True | | ID | Cbdf05b17cf54587b3b58a11f49252e7 | | name | Test_project |+-------------+----------------------------------+

Keystone Integrated LDAP