Mirantis OpenStack

  • Download

    Mirantis OpenStack is the zero lock-in distro that makes deploying your cloud easier, and more flexible, and more reliable.

  • On-Demand

    Mirantis OpenStack Express is on demand Private-Cloud-as-a-Service. Fire up your own cloud and deploy your workloads immediately.

Solutions Engineering

Services offerings for all phases of the OpenStack lifecycle, from green-field to migration to scale-out optimization, including Migration, Self-service IT as a Service (ITaaS), CI/CD. Learn More

Deployment and Operations

The deep bench of OpenStack infrrastructure experts has the proven experience across scores of deployments and uses cases, to ensure you get OpenStack running fast and delivering continuous ROI.

Driver Testing and Certification

Mirantis provides coding, testing and maintenance for OpenStack drivers to help infrastructure companies integrate with OpenStack and deliver innovation to cloud customers and operators. Learn More

Certification Exam

Know OpenStack? Prove it. An IT professional who has earned the Mirantis® Certificate of Expertise in OpenStack has demonstrated the skills, knowledge, and abilities needed to create, configure, and manage OpenStack environments.

OpenStack Bootcamp

New to OpenStack and need the skills to run an OpenStack cluster yourself? Our bestselling 3 day course gives you the hands-on knowledge you need.

The #1 Pure Play OpenStack Company

Some vendors choose to “improve” OpenStack by salting it with their own exclusive technology. At Mirantis, we’re totally committed to keeping production open source clouds free of proprietary hooks or opaque packaging. When you choose to work with us, you stay in full control of your infrastructure roadmap.

Learn about Our Philosophy

LDAP identity store for OpenStack Keystone

After some time working with OpenStack installation using existing LDAP installation for authentication, we encountered one big problem. The latest Dashboard code dropped support of old bare authentication in favor of Keystone-based one. That time Keystone had no support for multiple authentication backends, so we had to develop this feature.
Now we have a basic support of LDAP authentication in Keystone which provides subset of functionality that was present in Nova. Currently, the main limitation is inability to actually integrate with the existing LDAP tree due to limitations in backend, but it works fine in isolated corner of LDAP.
So, after a long time of coding and fighting with new upstream workflows, we can give you a chance to try it out.
To do it, one should:

  1. Make sure that all necessary components are installed. They are Nova, Glance, Keystone and Dashboard.Since the latter pair is still in incubator, you’ll have to download them from the source repository:
    git clone git://github.com/4P/openstack-dashboard.git
    git clone git://github.com/openstack/keystone.git
  2. Set up Nova to authorize requests in Keystone:
    echo “--api_paste_config=$(pwd)/keystone/keystone/examples/paste/nova-api-paste.ini” >> /etc/nova/nova.conf

    It assumes that you’re in the same dir where you’ve downloaded Keystone sources. Replace nova.conf path if it differs in your Nova installation.

  3. Add schema information to your LDAP installation.It heavily depends on your LDAP server. There is a common .schema file and .ldif for the latest version of OpenLDAP in keystone/keystone/backends/ldap/ dir. For local OpenLDAP installation, this will do the trick (if you haven’t change the dir after previous steps):
    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f keystone/keystone/backends/ldap/keystone.ldif
  4. Modify Keystone configuration at keystone/etc/keystone.conf to use ldap backend:
    • add keystone.backends.ldap to the backends list in[DEFAULT] section;
    • remove Tenant, User, UserRoleAssociation and Token from thebackend_entities list in [keystone.backends.sqlalchemy]section;
    • add new section (don’t forget to change URL, user and password to match your installation):
      ldap_url = ldap://localhost
      ldap_user = cn=admin,dc=nodomain
      ldap_password = password
      backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role']
  • Make sure that ou=Groups,dc=example,dc=com andou=Users,dc=example,dc=com subtree exists or set LDAP backend to use any other ones by adding tenant_tree_dn, role_tree_dn anduser_tree_dn parameters into [keystone.backends.ldap] section in config file.
  • Run Nova, Keystone and Dashboard as usual.
  • Create some users, tenants, endpoints, etc. in Keystone by using keystone/bin/keystone-manage command or just run keystone/bin/sample-data.sh to add the test ones.
    Now you can authenticate in Dashboard using credentials of one of created users. Note that from this point all user, project and role management should be done through Keystone using either keystone-manage command or syspanel on Dashboard.

3 Responses

  1. So , how could I play with nova under terminal instead of Dashboard …?

    for example a simple
    “euca-run-instance” …..
    seems no novarc source file anymore ….
    or there’s no any CLI client tool could be used for Nova+Keystone now?


    September 30, 2011
  2. What are the requirements for the ou=Groups,dc=example,dc=com and ou=Users,dc=example,dc=com subtrees? Mine are defined according to the below LDIF, but I get a Syntax error calling kewystone-manage create_tenant

    dn: dc=example,dc=com
    dc: example
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: example

    dn: ou=groups,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: groups

    dn: ou=users,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: users

    January 30, 2012
  3. LDAP support for Essex has been redone, and is different from what is posted here.


    March 2, 2012

Some HTML is OK

or, reply to this post via trackback.