LDAP identity store for OpenStack Keystone

After some time working with OpenStack installation using existing LDAP installation for authentication, we encountered one big problem. The latest Dashboard code dropped support of old bare authentication in favor of Keystone-based one. That time Keystone had no support for multiple authentication backends, so we had to develop this feature.
Now we have a basic support of LDAP authentication in Keystone which provides subset of functionality that was present in Nova. Currently, the main limitation is inability to actually integrate with the existing LDAP tree due to limitations in backend, but it works fine in isolated corner of LDAP.
So, after a long time of coding and fighting with new upstream workflows, we can give you a chance to try it out.
To do it, one should:

  1. Make sure that all necessary components are installed. They are Nova, Glance, Keystone and Dashboard.Since the latter pair is still in incubator, you’ll have to download them from the source repository:
    git clone git://github.com/4P/openstack-dashboard.git
    git clone git://github.com/openstack/keystone.git
  2. Set up Nova to authorize requests in Keystone:
    echo “--api_paste_config=$(pwd)/keystone/keystone/examples/paste/nova-api-paste.ini” >> /etc/nova/nova.conf

    It assumes that you’re in the same dir where you’ve downloaded Keystone sources. Replace nova.conf path if it differs in your Nova installation.

  3. Add schema information to your LDAP installation.It heavily depends on your LDAP server. There is a common .schema file and .ldif for the latest version of OpenLDAP in keystone/keystone/backends/ldap/ dir. For local OpenLDAP installation, this will do the trick (if you haven’t change the dir after previous steps):
    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f keystone/keystone/backends/ldap/keystone.ldif
  4. Modify Keystone configuration at keystone/etc/keystone.conf to use ldap backend:
    • add keystone.backends.ldap to the backends list in[DEFAULT] section;
    • remove Tenant, User, UserRoleAssociation and Token from thebackend_entities list in [keystone.backends.sqlalchemy]section;
    • add new section (don’t forget to change URL, user and password to match your installation):
      [keystone.backends.ldap]
      ldap_url = ldap://localhost
      ldap_user = cn=admin,dc=nodomain
      ldap_password = password
      backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role']
  • Make sure that ou=Groups,dc=example,dc=com andou=Users,dc=example,dc=com subtree exists or set LDAP backend to use any other ones by adding tenant_tree_dn, role_tree_dn anduser_tree_dn parameters into [keystone.backends.ldap] section in config file.
  • Run Nova, Keystone and Dashboard as usual.
  • Create some users, tenants, endpoints, etc. in Keystone by using keystone/bin/keystone-manage command or just run keystone/bin/sample-data.sh to add the test ones.
    Now you can authenticate in Dashboard using credentials of one of created users. Note that from this point all user, project and role management should be done through Keystone using either keystone-manage command or syspanel on Dashboard.
3 comments

3 Responses

  1. pkarpov@mirantis.com'September 30, 2011  

    So , how could I play with nova under terminal instead of Dashboard …?

    for example a simple
    “euca-run-instance” …..
    seems no novarc source file anymore ….
    or there’s no any CLI client tool could be used for Nova+Keystone now?

    Thanks
    HugoKuo
    tonytkdk@gmail.com

  2. pkarpov@mirantis.com'January 30, 2012  

    What are the requirements for the ou=Groups,dc=example,dc=com and ou=Users,dc=example,dc=com subtrees? Mine are defined according to the below LDIF, but I get a Syntax error calling kewystone-manage create_tenant

    dn: dc=example,dc=com
    dc: example
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: example

    dn: ou=groups,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: groups

    dn: ou=users,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: users

  3. pkarpov@mirantis.com'March 2, 2012  

    LDAP support for Essex has been redone, and is different from what is posted here.

    http://adam.younglogic.com/2012/02/openstack-keystone-ldap-redux/

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>