openstack-manuals/doc/common/section_keystone_config_ldap.xml
Martin Lopes c3c2b52dcd Review Identity and LDAP integration section
Implementation steps have been refined, and additional recommendations
from the devs have been included.

Change-Id: Id8585ecbc911706d7798548a15e10e6ea6cc77d7
Partial-Bug: 1293328
2014-03-24 09:40:33 +10:00

129 lines
5.3 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="configuring-keystone-for-ldap-backend">
<title>Integrate Identity with LDAP</title>
<para>Identity Service supports integration with an existing LDAP
directory for authentication and authorization
services.</para>
<important os="rhel;fedora;centos">
<para>For OpenStack Identity to access an LDAP back end, you must
enable the <option>authlogin_nsswitch_use_ldap</option> boolean
value for SELinux on the Identity server. To enable and
make the option persistent across reboots:</para>
<screen><prompt>#</prompt> <userinput>setsebool -P authlogin_nsswitch_use_ldap</userinput></screen>
</important>
<note>
<para>You can integrate Identity with a single LDAP
server.</para>
</note>
<para>To configure Identity, set options in the
<filename>/etc/keystone/keystone.conf</filename> file.
Modify these examples as needed.</para>
<procedure>
<title>To integrate Identity with LDAP</title>
<step>
<para>Enable the LDAP driver in the
<filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step>
<para>Define the destination LDAP server in the
<filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False</programlisting>
</step>
<step>
<para>Create the organizational units (OU) in the LDAP
directory, and define their corresponding location in
the <filename>keystone.conf</filename> file:</para>
<programlisting language="ini">[ldap]
user_tree_dn = ou=Users,dc=example,dc=org
user_objectclass = inetOrgPerson
tenant_tree_dn = ou=Groups,dc=example,dc=org
tenant_objectclass = groupOfNames
role_tree_dn = ou=Roles,dc=example,dc=org
role_objectclass = organizationalRole</programlisting>
<note>
<para>These schema attributes are extensible for
compatibility with various schemas. For example,
this entry maps to the
<systemitem>person</systemitem> attribute in
Active Directory:</para>
<programlisting language="ini">user_objectclass = person</programlisting>
</note>
</step>
<step>
<para>A read-only implementation is recommended for LDAP
integration. These permissions are applied to object
types in the <filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False</programlisting>
</step>
<step>
<para>Restart the Identity service:</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
<warning><para>During service restart, authentication and
authorization are unavailable.</para></warning>
</step>
</procedure>
<formalpara>
<title>Additional LDAP integration settings</title>
<para>Set these options in the
<filename>keystone.conf</filename> file.</para>
</formalpara>
<variablelist>
<varlistentry>
<term>Filters</term>
<listitem>
<para>Use filters to control the scope of data
presented through LDAP.</para>
<programlisting language="ini">[ldap]
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Account Status</term>
<listitem>
<para>Mask account status values for compatibility
with various directory services. Superfluous
accounts are filtered with
<systemitem>user_filter</systemitem>.</para>
<para>For example, you can mask Active Directory
account status attributes in the
<filename>keystone.conf</filename>
file:</para>
<programlisting language="ini">[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512</programlisting>
</listitem>
</varlistentry>
</variablelist>
<xi:include href="section_keystone_config_ldap-assignments.xml"/>
<xi:include href="section_keystone_config_ldap-hardening.xml"/>
</section>