[openstack] [keystone] [ldap] Openstack Keystone+OpenLDAP Environment Settings

[openstack] [keystone] [ldap] Openstack Keystone+OpenLDAP Environment Settings

OpenLDAP Server Settings :

# sudo apt-get install slapd ldap-utils

# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

backend.ldif :

# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb.la # Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: secret olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

frontend.ldif : 

# Create Top-Level object in domain dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example Inc dc: example # Admin user. dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret # OrganizationalUnit dn: ou=Users,dc=example,dc=com ou: users objectClass: organizationalUnit # OrganizationalUnit dn: ou=Roles,dc=example,dc=com ou: roles objectClass: organizationalUnit # OrganizationalUnit dn: ou=Tenants,dc=example,dc=com ou: tenants objectClass: organizationalUnit # InetOrgPerson dn: cn=demo,ou=Users,dc=example,dc=com cn: demo displayName: demo givenName: demo mail: demo@example.com objectClass: inetOrgPerson objectClass: top sn: demo uid: demo userPassword: secret

# sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif

role_add.ldif : 

# Add demo to "admin" Role dn: cn=admin,ou=Roles,dc=example,dc=com objectClass: groupOfNames cn: admin description: Openstack admin Role member: cn=demo,ou=Users,dc=example,dc=com # sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f role_add.ldif

tenant_add.ldif :

# Add demo to "admin" Tenant dn: cn=admin,ou=Tenants,dc=example,dc=com objectclass: groupofnames cn: admin description: Openstack admin Tenant member: cn=demo,ou=Users,dc=example,dc=com

# sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f tenant_add.ldif

Openstack Keystone Settings :

/etc/keystone/keystone.conf :

[identity] #driver = keystone.identity.backends.sql.Identity driver = keystone.identity.backends.ldap.Identity [ldap] url = ldap://openldap_server_ip user = cn=admin,dc=example,dc=com password = secret suffix = cn=example,cn=com use_dumb_member = False tree_dn = dc=example,dc=com user_tree_dn = ou=Users,dc=example,dc=com ##user_objectclass = inetOrgPerson role_tree_dn = ou=Roles,dc=example,dc=com ##role_objectclass = organizationalRole tenant_tree_dn = ou=Tenants,dc=example,dc=com ##tenant_objectclass = groupOfNames

Openstack Keystone Environment Testing:

# curl -d '{"auth":{"passwordCredentials":{"username": "demo", "password": "secret"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens

output : {"access": {"token": {"expires": "2013-01-19T08:31:53Z", "id": "757fac866e9649bfa23c547a6658d94d"}, "serviceCatalog": {}, "user": {"username": "demo", "roles_links": [], "id": "demo", "roles": [], "name": "demo"}}}


# curl -H "X-Auth-Token:757fac866e9649bfa23c547a6658d94d" http://localhost:5000/v2.0/tenants

output : {"tenants_links": [], "tenants": [{"enabled": true, "id": "admin", "description": "Openstack admin Tenant"}]}