NEW! Mirantis Academy -   Learn confidently with expert guidance and On-demand content.   Learn More


LDAP identity store for OpenStack Keystone

Yury Taraday - August 12, 2011

After some time working with OpenStack installation using existing LDAP installation for authentication, we encountered one big problem. The latest Dashboard code dropped support of old bare authentication in favor of Keystone-based one. That time Keystone had no support for multiple authentication backends, so we had to develop this feature.
Now we have a basic support of LDAP authentication in Keystone which provides subset of functionality that was present in Nova. Currently, the main limitation is inability to actually integrate with the existing LDAP tree due to limitations in backend, but it works fine in isolated corner of LDAP.
So, after a long time of coding and fighting with new upstream workflows, we can give you a chance to try it out.
To do it, one should:

  1. Make sure that all necessary components are installed. They are Nova, Glance, Keystone and Dashboard.Since the latter pair is still in incubator, you’ll have to download them from the source repository:

    git clone git://
    git clone git://
  2. Set up Nova to authorize requests in Keystone:

    echo “--api_paste_config=$(pwd)/keystone/keystone/examples/paste/nova-api-paste.ini” >> /etc/nova/nova.conf

    It assumes that you’re in the same dir where you’ve downloaded Keystone sources. Replace nova.conf path if it differs in your Nova installation.

  3. Add schema information to your LDAP installation.It heavily depends on your LDAP server. There is a common .schema file and .ldif for the latest version of OpenLDAP in keystone/keystone/backends/ldap/ dir. For local OpenLDAP installation, this will do the trick (if you haven’t change the dir after previous steps):

    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f keystone/keystone/backends/ldap/keystone.ldif

  4. Modify Keystone configuration at keystone/etc/keystone.conf to use ldap backend:
    • add keystone.backends.ldap to the backends list in[DEFAULT] section;
    • remove Tenant, User, UserRoleAssociation and Token from thebackend_entities list in [keystone.backends.sqlalchemy]section;
    • add new section (don’t forget to change URL, user and password to match your installation):

      ldap_url = ldap://localhost
      ldap_user = cn=admin,dc=nodomain
      ldap_password = password
      backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role']

  • Make sure that ou=Groups,dc=example,dc=com andou=Users,dc=example,dc=com subtree exists or set LDAP backend to use any other ones by adding tenant_tree_dn, role_tree_dn anduser_tree_dn parameters into [keystone.backends.ldap] section in config file.
  • Run Nova, Keystone and Dashboard as usual.
  • Create some users, tenants, endpoints, etc. in Keystone by using keystone/bin/keystone-manage command or just run keystone/bin/ to add the test ones.
    Now you can authenticate in Dashboard using credentials of one of created users. Note that from this point all user, project and role management should be done through Keystone using either keystone-manage command or syspanel on Dashboard.

Choose your cloud native journey.

Whatever your role, we’re here to help with open source tools and world-class support.


Subscribe to our bi-weekly newsletter for exclusive interviews, expert commentary, and thought leadership on topics shaping the cloud native world.