From 7bdc67902396596734d7c06fb675f5bb3ff6c4c5 Mon Sep 17 00:00:00 2001 From: Rico Lin Date: Thu, 12 Feb 2015 17:22:45 +0800 Subject: [PATCH] Improvement for Integrate Identity with LDAP This fix imporve Integrate Identity with LDAP section in OpenStack Cloud Administrator Guide - current. Update more additionnal configuration attributes that can be used. Seprate basic LDAP configuration, Identity backend configuration and Assignment backend configuration into three different categories. Categorize configuration options by it's character. Change-Id: I5640e9690aed962210582684e85d4e172bd265ff Closes-bug: #1368082 --- ...ction_keystone_config_ldap-assignments.xml | 182 ++++++++---- .../section_keystone_config_ldap-identity.xml | 232 +++++++++++++++ doc/common/section_keystone_config_ldap.xml | 277 ++++++------------ 3 files changed, 455 insertions(+), 236 deletions(-) create mode 100644 doc/common/section_keystone_config_ldap-identity.xml diff --git a/doc/common/section_keystone_config_ldap-assignments.xml b/doc/common/section_keystone_config_ldap-assignments.xml index 2ae7ff575e..89e7f51a28 100644 --- a/doc/common/section_keystone_config_ldap-assignments.xml +++ b/doc/common/section_keystone_config_ldap-assignments.xml @@ -4,57 +4,137 @@ xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="configuring-keystone-for-ldap-backend-assignments"> -Separate role authorization and user authentication - When you configure the Identity service to use LDAP back - ends, you can split authentication and authorization using the - Assignments feature. - The Assignments feature enables administrators to manage - project role authorization using the Identity service SQL - database, while still providing user authentication through the - LDAP directory. - To configure this: + Integrate assignment back end with LDAP + When you configure the OpenStack Identity service to use LDAP + servers, you can split authentication and authorization using the + assignment feature. Integrating the + assignment back end with LDAP allows administrators to use + projects (tenant), roles, domains, and role assignments + in LDAP. + + Using LDAP as an assignment back end is not recommended. + + + The OpenStack Identity service does not support domain-specific + assignment back ends. + + + For OpenStack Identity assignments to access LDAP servers, you + must define the destination LDAP server in + the keystone.conf file. For more information, + see . + - Separating role authorization and user authentication - through Assignments - Modify the /etc/keystone/keystone.conf - configuration file for a single LDAP server, or - etc/domains/keystone.DOMAIN_NAME.conf - files for multiple LDAP back ends, performing the following actions: - - Configure the Identity service to authenticate users - through the LDAP driver. In the [identity] section, set - the driver configuration key to - keystone.identity.backends.ldap.Identity: - - [identity] -driver = keystone.identity.backends.ldap.Identity - - Enable the Assignment driver. In the - [assignment] section, set the driver - configuration key to keystone.assignment.backends.sql.Assignment: - - [assignment] -driver = keystone.assignment.backends.sql.Assignment - + Integrating assignment back ends with LDAP + + Enable the assignment driver. In the + [assignment] section, set the + driver configuration key to + keystone.assignment.backends.sql.Assignment: + [assignment] +#driver = keystone.assignment.backends.sql.Assignment +driver = keystone.assignment.backends.ldap.Assignment + + + Create the organizational units (OU) in the LDAP + directory, and define their corresponding location in + the keystone.conf file: + [ldap] +role_tree_dn = +role_objectclass = inetOrgPerson + +project_tree_dn = ou=Groups,dc=example,dc=org +project_objectclass = groupOfNames + + These schema attributes are extensible for + compatibility with various schemas. For example, + this entry maps to the + groupOfNames attribute in + Active Directory: + project_objectclass = groupOfNames + + + + A read-only implementation is recommended for LDAP + integration. These permissions are applied to object + types in the keystone.conf + file: + [ldap] +role_allow_create = False +role_allow_update = False +role_allow_delete = False + +project_allow_create = False +project_allow_update = False +project_allow_delete = False + + + Restart the OpenStack Identity service: + # service keystone restart + During service restart, authentication and + authorization are unavailable. + - On - distributions that include - openstack-config, you can - configure both drivers by running the following commands. - - - For a single LDAP server: - # openstack-config --set /etc/keystone/keystone.conf \ -identity driver keystone.identity.backends.ldap.Identity -# openstack-config --set /etc/keystone/keystone.conf \ -assignment driver keystone.assignment.backends.sql.Assignment - - - For multiple LDAP back ends: -# openstack-config --set /etc/keystone/keystone.conf \ - identity driver keystone.identity.backends.ldap.Identity - # openstack-config --set etc/domains/keystone.DOMAIN_NAME.conf \ - assignment driver keystone.assignment.backends.sql.Assignment - - + + Additional LDAP integration settings + Set these options in the + /etc/keystone/keystone.conf + file for a single LDAP server, or + /etc/keystone/domains/keystone. + DOMAIN_NAME.conf + files for multiple back ends. + + + + Filters + + Use filters to control the scope of data + presented through LDAP. + [ldap] +project_filter = (member=cn=openstack-user,ou=workgroups,dc=example,dc=org) +role_filter = + Filtering method + + + + Assignment attribute mapping + + Mask account status values (include any additional + attribute mappings) for compatibility with various + directory services. Superfluous accounts are filtered with + user_filter. + Setting attribute ignore to list of attributes + stripped off on update. + [ldap] +role_id_attribute = cn +role_name_attribute = ou +role_member_attribute = roleOccupant +role_additional_attribute_mapping = +role_attribute_ignore = + +project_id_attribute = cn +project_name_attribute = ou +project_member_attribute = member +project_desc_attribute = description +project_enabled_attribute = enabled +project_domain_id_attribute = businessCategory +project_additional_attribute_mapping = +project_attribute_ignore = + + + + Enabled emulation + + An alternative method to determine if a project is + enabled or not is to check if that project is a + member of the emulation group. + Use DN of the group entry to hold enabled + projects when using enabled emulation. + [ldap] +project_enabled_emulation = false +project_enabled_emulation_dn = false + + + + diff --git a/doc/common/section_keystone_config_ldap-identity.xml b/doc/common/section_keystone_config_ldap-identity.xml new file mode 100644 index 0000000000..1ab441df96 --- /dev/null +++ b/doc/common/section_keystone_config_ldap-identity.xml @@ -0,0 +1,232 @@ + +
+ + Integrate identity back end with LDAP + The identity back end contains information for users, groups, and + group member lists. Integrating the identity back end with LDAP allows + administrators to use users and groups in LDAP. + + For OpenStack Identity Service to access LDAP servers, you must + define the destination LDAP server in the + keystone.conf file. For more information, see + . + + + Integrating an identity back end with LDAP + + Enable the LDAP identity driver in the + keystone.conf file. This allows LDAP as + an identity back end: + [identity] +#driver = keystone.identity.backends.sql.Identity +driver = keystone.identity.backends.ldap.Identity + + + Create the organizational units (OU) in the LDAP + directory, and define the corresponding location in + the keystone.conf file: + [ldap] +user_tree_dn = ou=Users,dc=example,dc=org +user_objectclass = inetOrgPerson + +group_tree_dn = ou=Groups,dc=example,dc=org +group_objectclass = groupOfNames + + These schema attributes are extensible for + compatibility with various schemas. For example, + this entry maps to the + person attribute in + Active Directory: + user_objectclass = person + + + + A read-only implementation is recommended for LDAP + integration. These permissions are applied to object + types in the keystone.conf + file: + [ldap] +user_allow_create = False +user_allow_update = False +user_allow_delete = False + +group_allow_create = False +group_allow_update = False +group_allow_delete = False + + + Restart the OpenStack Identity service: + # service keystone restart + During service restart, authentication and + authorization are unavailable. + + + + Integrating identity with multiple back ends + + Set the following options in the + /etc/keystone/keystone.conf file: + + + Enable the LDAP driver: + [identity] +#driver = keystone.identity.backends.sql.Identity +driver = keystone.identity.backends.ldap.Identity + + + Enable domain-specific drivers: + [identity] +domain_specific_drivers_enabled = True +domain_config_dir = /etc/keystone/domains + + + + + Restart the service: + # service keystone restart + + + List the domains using the dashboard, or the OpenStackClient + CLI. Refer to the Command List + for a list of OpenStackClient commands. + + + Create domains using OpenStack dashboard, or the + OpenStackClient CLI. + + + For each domain, create a domain-specific configuration + file in the /etc/keystone/domains directory. + Use the file naming convention keystone.DOMAIN_NAME.conf, + where DOMAIN_NAME + is the domain name assigned in the previous step. + The options set in the + /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file will override options in the /etc/keystone/keystone.conf + file. + + + Define the destination LDAP server in the + /etc/keystone/domains/keystone.DOMAIN_NAME.conf file. For example: + [ldap] +url = ldap://localhost +user = dc=Manager,dc=example,dc=org +password = samplepassword +suffix = dc=example,dc=org +use_dumb_member = False +allow_subtree_delete = False + + + Create the organizational units (OU) in the LDAP + directories, and define their corresponding locations in + the /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file. For example: + [ldap] +user_tree_dn = ou=Users,dc=example,dc=org +user_objectclass = inetOrgPerson + +group_tree_dn = ou=Groups,dc=example,dc=org +group_objectclass = groupOfNames + + These schema attributes are extensible for + compatibility with various schemas. For example, + this entry maps to the person + attribute in Active Directory: + user_objectclass = person + + + + A read-only implementation is recommended for LDAP + integration. These permissions are applied to object + types in the /etc/keystone/domains/keystone.DOMAIN_NAME.conf + file: + [ldap] +user_allow_create = False +user_allow_update = False +user_allow_delete = False + +group_allow_create = False +group_allow_update = False +group_allow_delete = False + + + Restart the OpenStack Identity service: + # service keystone restart + During service restart, authentication and + authorization are unavailable. + + + + Additional LDAP integration settings + Set these options in the + /etc/keystone/keystone.conf + file for a single LDAP server, or + /etc/keystone/domains/keystone. + DOMAIN_NAME.conf + files for multiple back ends. + + + + Filters + + Use filters to control the scope of data + presented through LDAP. + [ldap] +user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org) +group_filter = + + + + Identity attribute mapping + + Mask account status values (include any additional + attribute mappings) for compatibility + with various directory services. Superfluous + accounts are filtered with + user_filter. + Setting attribute ignore to list of attributes + stripped off on update. + For example, you can mask Active Directory + account status attributes in the + keystone.conf + file: + [ldap] +user_id_attribute = cn +user_name_attribute = sn +user_mail_attribute = mail +user_pass_attribute = userPassword +user_enabled_attribute = userAccountControl +user_enabled_mask = 2 +user_enabled_invert = false +user_enabled_default = 51 +user_default_project_id_attribute = +user_attribute_ignore = default_project_id,tenants +user_additional_attribute_mapping = + +group_id_attribute = cn +group_name_attribute = ou +group_member_attribute = member +group_desc_attribute = description +group_attribute_ignore = +group_additional_attribute_mapping = + + + + Enabled emulation + + An alternative method to determine if a user is + enabled or not is by checking if that user is a + member of the emulation group. + Use DN of the group entry to hold enabled + user when using enabled emulation. + [ldap] +user_enabled_emulation = false +user_enabled_emulation_dn = false + + + +
diff --git a/doc/common/section_keystone_config_ldap.xml b/doc/common/section_keystone_config_ldap.xml index b4858192c6..9e6a84cc45 100644 --- a/doc/common/section_keystone_config_ldap.xml +++ b/doc/common/section_keystone_config_ldap.xml @@ -5,189 +5,59 @@ version="5.0" xml:id="configuring-keystone-for-ldap-backend"> Integrate Identity with LDAP - Identity Service supports integration with existing LDAP - directories for authentication and authorization + The Openstack Identity Service supports integration with + existing LDAP directories for authentication and authorization services. + When the Openstack Identity service is configured to use LDAP + back ends, you can split authentication (using the + identity feature) and + authorization (using the + assignment feature). + The identity feature enables administrators to manage + users and groups by each domain or the Openstack Identity Service entirely. + The Assignments feature enables administrators to manage + project role authorization using the Openstack Identity service SQL + database, while providing user authentication through the + LDAP directory. - For OpenStack Identity to access LDAP servers, you must + For OpenStack Identity service to access LDAP servers, you must enable the boolean - value for SELinux on the Identity server. To enable and + value for SELinux on the Openstack Identity server. To enable and make the option persistent across reboots: # setsebool -P authlogin_nsswitch_use_ldap + Identity configuration is split into two separate back ends: identity + (back end for users and groups) and assignments (back end for domains, + projects, roles, role assignments). To configure identity, set options in the + /etc/keystone/keystone.conf file. + See + for identity back end configuration examples and + + for assignment back end configuration examples. + Modify these examples as needed. - You can integrate Identity with a single LDAP - server, or multiple back ends using domain-specific configuration files. + Multiple back ends are supported. You can integrate the Openstack Identity service + with a single LDAP server (configure both identity and assignments to + LDAP, or set identity and assignments back end with SQL or LDAP), + or multiple back ends using domain-specific configuration files. - - To integrate Identity with a LDAP server - - Enable the LDAP driver in the - /etc/keystone/keystone.conf file: - [identity] -#driver = keystone.identity.backends.sql.Identity -driver = keystone.identity.backends.ldap.Identity - - - Define the destination LDAP server in the - /etc/keystone/keystone.conf file: - [ldap] -url = ldap://localhost -user = dc=Manager,dc=example,dc=org -password = samplepassword -suffix = dc=example,dc=org -use_dumb_member = False -allow_subtree_delete = False - - - Create the organizational units (OU) in the LDAP - directory, and define their corresponding location in - the keystone.conf file: - [ldap] -user_tree_dn = ou=Users,dc=example,dc=org -user_objectclass = inetOrgPerson - -tenant_tree_dn = ou=Groups,dc=example,dc=org -tenant_objectclass = groupOfNames - -role_tree_dn = ou=Roles,dc=example,dc=org -role_objectclass = organizationalRole - - These schema attributes are extensible for - compatibility with various schemas. For example, - this entry maps to the - person attribute in - Active Directory: - user_objectclass = person - - - - A read-only implementation is recommended for LDAP - integration. These permissions are applied to object - types in the keystone.conf - file: - [ldap] -user_allow_create = False -user_allow_update = False -user_allow_delete = False - -tenant_allow_create = False -tenant_allow_update = False -tenant_allow_delete = False - -role_allow_create = False -role_allow_update = False -role_allow_delete = False - - - Restart the Identity service: - # service keystone restart - During service restart, authentication and - authorization are unavailable. - - - - To integrate Identity with multiple back ends - - Set the following options in the - /etc/keystone/keystone.conf file: - - - Enable the LDAP driver: - [identity] -#driver = keystone.identity.backends.sql.Identity -driver = keystone.identity.backends.ldap.Identity - - - Enable domain-specific drivers: - [identity] -domain_specific_drivers_enabled = True -domain_config_dir = /etc/keystone/domains - - - - - Restart the service: - # service keystone restart - - - List the domains using the dashboard, or the OpenStackClient - CLI. Refer to the Command List - for a list of OpenStackClient commands. - - - Create domains using OpenStack dashboard, or the - OpenStackClient CLI. - - - For each domain, create a domain-specific configuration - file in the /etc/keystone/domains directory. - Use the file naming convention keystone.DOMAIN_NAME.conf, - where DOMAIN_NAME - is the domain name assigned in the previous step. - The options set in the - /etc/keystone/domains/keystone.DOMAIN_NAME.conf - file will override options in the /etc/keystone/keystone.conf - file. - - + + To define the destination LDAP server Define the destination LDAP server in the - /etc/keystone/domains/keystone.DOMAIN_NAME.conf file. For example: - [ldap] + keystone.conf file: + + [ldap] url = ldap://localhost user = dc=Manager,dc=example,dc=org password = samplepassword suffix = dc=example,dc=org use_dumb_member = False allow_subtree_delete = False - - - Create the organizational units (OU) in the LDAP - directory, and define their corresponding location in - the /etc/keystone/domains/keystone.DOMAIN_NAME.conf - file. For example: + + Configure if you set to true. [ldap] -user_tree_dn = ou=Users,dc=example,dc=org -user_objectclass = inetOrgPerson - -tenant_tree_dn = ou=Groups,dc=example,dc=org -tenant_objectclass = groupOfNames - -role_tree_dn = ou=Roles,dc=example,dc=org -role_objectclass = organizationalRole - - These schema attributes are extensible for - compatibility with various schemas. For example, - this entry maps to the person - attribute in Active Directory: - user_objectclass = person - - - - A read-only implementation is recommended for LDAP - integration. These permissions are applied to object - types in the /etc/keystone/domains/keystone.DOMAIN_NAME.conf - file: - [ldap] -user_allow_create = False -user_allow_update = False -user_allow_delete = False - -tenant_allow_create = False -tenant_allow_update = False -tenant_allow_delete = False - -role_allow_create = False -role_allow_update = False -role_allow_delete = False - - - Restart the Identity service: - # service keystone restart - During service restart, authentication and - authorization are unavailable. - - +dumb_member = cn=dumb,dc=nonexistent + Additional LDAP integration settings Set these options in the @@ -197,34 +67,71 @@ role_allow_delete = False - Filters + Query option - Use filters to control the scope of data - presented through LDAP. + Use + to control the scope level of data + presented (search only the first level or search an entire + sub-tree) through LDAP. + Use to control the maximum + results per page. A value of zero disables paging. + Use to control + the LDAP dereferencing option for queries. + Use to override the + system's default referral chasing behavior for queries. [ldap] -user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org) -tenant_filter = -role_filter = +query_scope = sub +page_size = 0 +alias_dereferencing = default +chase_referrals = - LDAP Account Status + Debug - Mask account status values for compatibility - with various directory services. Superfluous - accounts are filtered with - user_filter. - For example, you can mask Active Directory - account status attributes in the - keystone.conf - file: + Use to set + the LDAP debugging level for LDAP calls. A value of zero means that + debugging is not enabled. [ldap] -user_enabled_attribute = userAccountControl -user_enabled_mask = 2 -user_enabled_default = 512 +debug_level = 0 + This value is a bitmask, consult your LDAP + documentation for possible values. + + + + Connection pooling + + Use to enable LDAP connection + pooling. Configure connection pool size, maximum retry, + reconnect trials, timeout (-1 indicates indefinite + wait) and lifetime in seconds. + [ldap] +use_pool = true +pool_size = 10 +pool_retry_max = 3 +pool_retry_delay = 0.1 +pool_connection_timeout = -1 +pool_connection_lifetime = 600 + + + + Connection pooling for end user authentication + + Use to enable LDAP + connection pooling for end user authentication. + Configure connection pool size and lifetime in seconds. + [ldap] +use_auth_pool = false +auth_pool_size = 100 +auth_pool_connection_lifetime = 60 + When you have finished configuration, restart the Openstack Identity service: + # service keystone restart + During service restart, authentication and + authorization are unavailable. +