2013年1月20日 星期日

[openstack] [keystone] [ldap] Openstack Keystone+OpenLDAP Environment Settings

[openstack] [keystone] [ldap] Openstack Keystone+OpenLDAP Environment Settings

OpenLDAP Server Settings :

# sudo apt-get install slapd ldap-utils
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
backend.ldif :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb.la

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif


frontend.ldif : 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

# Create Top-Level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example Inc
dc: example

# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret

# OrganizationalUnit
dn: ou=Users,dc=example,dc=com
ou: users
objectClass: organizationalUnit

# OrganizationalUnit
dn: ou=Roles,dc=example,dc=com
ou: roles
objectClass: organizationalUnit

# OrganizationalUnit
dn: ou=Tenants,dc=example,dc=com
ou: tenants
objectClass: organizationalUnit

# InetOrgPerson
dn: cn=demo,ou=Users,dc=example,dc=com
cn: demo
displayName: demo
givenName: demo
mail: demo@example.com
objectClass: inetOrgPerson
objectClass: top
sn: demo
uid: demo
userPassword: secret
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif


role_add.ldif : 

1
2
3
4
5
6
7

# Add demo to "admin" Role
dn: cn=admin,ou=Roles,dc=example,dc=com
objectClass: groupOfNames
cn: admin
description: Openstack admin Role
member: cn=demo,ou=Users,dc=example,dc=com
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f role_add.ldif



tenant_add.ldif :

1
2
3
4
5
6
7

# Add demo to "admin" Tenant
dn: cn=admin,ou=Tenants,dc=example,dc=com
objectclass: groupofnames
cn: admin
description: Openstack admin Tenant
member: cn=demo,ou=Users,dc=example,dc=com
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f tenant_add.ldif


Openstack Keystone Settings :

/etc/keystone/keystone.conf :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

[identity]
#driver = keystone.identity.backends.sql.Identity
driver = keystone.identity.backends.ldap.Identity


[ldap]
url = ldap://openldap_server_ip
user = cn=admin,dc=example,dc=com
password = secret
suffix = cn=example,cn=com
use_dumb_member = False
tree_dn = dc=example,dc=com

user_tree_dn = ou=Users,dc=example,dc=com
##user_objectclass = inetOrgPerson

role_tree_dn = ou=Roles,dc=example,dc=com
##role_objectclass = organizationalRole

tenant_tree_dn = ou=Tenants,dc=example,dc=com
##tenant_objectclass = groupOfNames



Openstack Keystone Environment Testing:

curl -d '{"auth":{"passwordCredentials":{"username": "demo", "password": "secret"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens
output : {"access": {"token": {"expires": "2013-01-19T08:31:53Z", "id": "757fac866e9649bfa23c547a6658d94d"}, "serviceCatalog": {}, "user": {"username": "demo", "roles_links": [], "id": "demo", "roles": [], "name": "demo"}}}


# curl -H "X-Auth-Token:757fac866e9649bfa23c547a6658d94d" http://localhost:5000/v2.0/tenants
output : {"tenants_links": [], "tenants": [{"enabled": true, "id": "admin", "description": "Openstack admin Tenant"}]}








張貼者: 沒有留言:
標籤: , ,

2013年1月8日 星期二

[linux] [ldap] Ubuntu OpenLDAP Settings

[linux] [ldap] Ubuntu (12.04 LTS) OpenLDAP Settings

Server Settings
http://comtech247.net/2012/05/13/how-to-set-up-an-ldap-server-on-ubuntu-12-04-lts/
http://books.bod.idv.tw/2011/08/ubuntuopenldap.html

Client Settings
http://www.server-world.info/en/note?os=Ubuntu_12.04&p=ldap&f=2

LDAP Tree Structure
http://www.zytrax.com/books/ldap/ch5/step2.html

LDIF Modify
http://publib.boulder.ibm.com/infocenter/zvm/v5r4/index.jsp?topic=/com.ibm.zvm.v54.kldl0/hcsk8b3061.htm
http://tldp.org/HOWTO/LDAP-HOWTO/utilities.html

張貼者: 沒有留言:
標籤: ,
訂閱: 文章 (Atom)