Integrate Identity with LDAPThe OpenStack Identity service supports integration with
existing LDAP directories for authentication and authorization
services.When the OpenStack Identity service is configured to use LDAP
back ends, you can split authentication (using the
identity feature) and
authorization (using the
assignment feature).The identity feature enables administrators to manage
users and groups by each domain or the OpenStack Identity service entirely.The Assignments feature enables administrators to manage
project role authorization using the OpenStack Identity service SQL
database, while providing user authentication through the
LDAP directory.For OpenStack Identity service to access LDAP servers, you must
enable the boolean
value for SELinux on the server running the OpenStack Identity service. To
enable and make the option persistent across reboots:#setsebool -P authlogin_nsswitch_use_ldap onIdentity configuration is split into two separate back ends: identity
(back end for users and groups) and assignments (back end for domains,
projects, roles, role assignments). To configure identity, set options in the
/etc/keystone/keystone.conf file.
See
for identity back end configuration examples and
for assignment back end configuration examples.
Modify these examples as needed.Multiple back ends are supported. You can integrate the OpenStack Identity service
with a single LDAP server (configure both identity and assignments to
LDAP, or set identity and assignments back end with SQL or LDAP),
or multiple back ends using domain-specific configuration files.To define the destination LDAP serverDefine the destination LDAP server in the
keystone.conf file:[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = FalseConfigure if you set to true.[ldap]
dumb_member = cn=dumb,dc=nonexistentAdditional LDAP integration settingsSet these options in the
/etc/keystone/keystone.conf file for a single LDAP server, or
/etc/keystone/domains/keystone.DOMAIN_NAME.conf files for
multiple back ends.Query optionUse
to control the scope level of data
presented (search only the first level or search an entire
sub-tree) through LDAP.Use to control the maximum
results per page. A value of zero disables paging.Use to control
the LDAP dereferencing option for queries.Use to override the
system's default referral chasing behavior for queries.[ldap]
query_scope = sub
page_size = 0
alias_dereferencing = default
chase_referrals = DebugUse to set
the LDAP debugging level for LDAP calls. A value of zero means that
debugging is not enabled.[ldap]
debug_level = 0This value is a bitmask, consult your LDAP
documentation for possible values.Connection poolingUse to enable LDAP connection
pooling. Configure connection pool size, maximum retry,
reconnect trials, timeout (-1 indicates indefinite
wait) and lifetime in seconds.[ldap]
use_pool = true
pool_size = 10
pool_retry_max = 3
pool_retry_delay = 0.1
pool_connection_timeout = -1
pool_connection_lifetime = 600Connection pooling for end user authenticationUse to enable LDAP
connection pooling for end user authentication.
Configure connection pool size and lifetime in seconds.[ldap]
use_auth_pool = false
auth_pool_size = 100
auth_pool_connection_lifetime = 60When you have finished configuration, restart the OpenStack Identity service:#service keystone restartDuring service restart, authentication and
authorization are unavailable.