c3c2b52dcd
Implementation steps have been refined, and additional recommendations from the devs have been included. Change-Id: Id8585ecbc911706d7798548a15e10e6ea6cc77d7 Partial-Bug: 1293328
129 lines
5.3 KiB
XML
129 lines
5.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="configuring-keystone-for-ldap-backend">
|
|
<title>Integrate Identity with LDAP</title>
|
|
<para>Identity Service supports integration with an existing LDAP
|
|
directory for authentication and authorization
|
|
services.</para>
|
|
<important os="rhel;fedora;centos">
|
|
<para>For OpenStack Identity to access an LDAP back end, you must
|
|
enable the <option>authlogin_nsswitch_use_ldap</option> boolean
|
|
value for SELinux on the Identity server. To enable and
|
|
make the option persistent across reboots:</para>
|
|
<screen><prompt>#</prompt> <userinput>setsebool -P authlogin_nsswitch_use_ldap</userinput></screen>
|
|
</important>
|
|
<note>
|
|
<para>You can integrate Identity with a single LDAP
|
|
server.</para>
|
|
</note>
|
|
<para>To configure Identity, set options in the
|
|
<filename>/etc/keystone/keystone.conf</filename> file.
|
|
Modify these examples as needed.</para>
|
|
<procedure>
|
|
<title>To integrate Identity with LDAP</title>
|
|
<step>
|
|
<para>Enable the LDAP driver in the
|
|
<filename>keystone.conf</filename> file:</para>
|
|
<programlisting language="ini">[identity]
|
|
#driver = keystone.identity.backends.sql.Identity
|
|
driver = keystone.identity.backends.ldap.Identity</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Define the destination LDAP server in the
|
|
<filename>keystone.conf</filename> file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
url = ldap://localhost
|
|
user = dc=Manager,dc=example,dc=org
|
|
password = samplepassword
|
|
suffix = dc=example,dc=org
|
|
use_dumb_member = False
|
|
allow_subtree_delete = False</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create the organizational units (OU) in the LDAP
|
|
directory, and define their corresponding location in
|
|
the <filename>keystone.conf</filename> file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_tree_dn = ou=Users,dc=example,dc=org
|
|
user_objectclass = inetOrgPerson
|
|
|
|
tenant_tree_dn = ou=Groups,dc=example,dc=org
|
|
tenant_objectclass = groupOfNames
|
|
|
|
role_tree_dn = ou=Roles,dc=example,dc=org
|
|
role_objectclass = organizationalRole</programlisting>
|
|
<note>
|
|
<para>These schema attributes are extensible for
|
|
compatibility with various schemas. For example,
|
|
this entry maps to the
|
|
<systemitem>person</systemitem> attribute in
|
|
Active Directory:</para>
|
|
<programlisting language="ini">user_objectclass = person</programlisting>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>A read-only implementation is recommended for LDAP
|
|
integration. These permissions are applied to object
|
|
types in the <filename>keystone.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_allow_create = False
|
|
user_allow_update = False
|
|
user_allow_delete = False
|
|
|
|
tenant_allow_create = False
|
|
tenant_allow_update = False
|
|
tenant_allow_delete = False
|
|
|
|
role_allow_create = False
|
|
role_allow_update = False
|
|
role_allow_delete = False</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart the Identity service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
|
|
<warning><para>During service restart, authentication and
|
|
authorization are unavailable.</para></warning>
|
|
</step>
|
|
</procedure>
|
|
<formalpara>
|
|
<title>Additional LDAP integration settings</title>
|
|
<para>Set these options in the
|
|
<filename>keystone.conf</filename> file.</para>
|
|
</formalpara>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Filters</term>
|
|
<listitem>
|
|
<para>Use filters to control the scope of data
|
|
presented through LDAP.</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
|
|
tenant_filter =
|
|
role_filter =</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>LDAP Account Status</term>
|
|
<listitem>
|
|
<para>Mask account status values for compatibility
|
|
with various directory services. Superfluous
|
|
accounts are filtered with
|
|
<systemitem>user_filter</systemitem>.</para>
|
|
<para>For example, you can mask Active Directory
|
|
account status attributes in the
|
|
<filename>keystone.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ldap]
|
|
user_enabled_attribute = userAccountControl
|
|
user_enabled_mask = 2
|
|
user_enabled_default = 512</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<xi:include href="section_keystone_config_ldap-assignments.xml"/>
|
|
<xi:include href="section_keystone_config_ldap-hardening.xml"/>
|
|
</section>
|