[openstack-dev] OpenLdap for Keystone

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Fri Sep 6 22:01:58 UTC 2013


Here are my rough notes with contributions from web pages https://github.com/openstack-dev/devstack/blob/master/lib/ldap and https://github.com/openstack-dev/devstack/blob/master/lib/keystone :


apt-get install slapd
apt-get install ldap-utils

LDAP_PASSWORD=password
SLAPPASS=`slappasswd -s $LDAP_PASSWORD`

TMP_MGR_DIFF_FILE=`mktemp -t manager_ldiff.$$.XXXXXXXXXX.ldif`
LDAP_OLCDB_NUMBER=1
LDAP_ROOTPW_COMMAND=replace

# sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" $FILES/ldap/manager.ldif.in >> $TMP_MGR_DIFF_FILE
sed -e "s|\${LDAP_OLCDB_NUMBER}|$LDAP_OLCDB_NUMBER|" -e "s|\${SLAPPASS}|$SLAPPASS|" -e "s|\${LDAP_ROOTPW_COMMAND}|$LDAP_ROOTPW_COMMAND|" ./manager.ldif.in >> $TMP_MGR_DIFF_FILE
ldapmodify -Y EXTERNAL -H ldapi:/// -f $TMP_MGR_DIFF_FILE

# ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f  $FILES/ldap/openstack.ldif
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f  ./openstack.ldif

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "dc=openstack, dc=org" -W "(objectclass=*)"
ldapadd -c -x -H ldap://localhost -D dc=Manager,dc=openstack,dc=org -w $LDAP_PASSWORD -f  ./addUser.ldif


Files:

manager.ldif.in:

dn: olcDatabase={${LDAP_OLCDB_NUMBER}}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=openstack,dc=org
-
replace: olcRootDN
olcRootDN: dc=Manager,dc=openstack,dc=org
-
${LDAP_ROOTPW_COMMAND}: olcRootPW
olcRootPW: ${SLAPPASS}


openstack.ldif:

dn: dc=openstack,dc=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack

dn: ou=UserGroups,dc=openstack,dc=org
objectClass: organizationalUnit
ou: UserGroups

dn: ou=Users,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Users

dn: ou=Roles,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Roles

dn: ou=Projects,dc=openstack,dc=org
objectClass: organizationalUnit
ou: Projects

dn: cn=9fe2ff9ee4384b1894a90878d3e92bab,ou=Roles,dc=openstack,dc=org
objectClass: organizationalRole
ou: _member_
cn: 9fe2ff9ee4384b1894a90878d3e92bab


addUser.ldif

cn: Donald Duck
givenName: Donald
sn: Duck
uid: donaldduck
mail: donald.duck at disney.com
objectClass: top
objectClass: Users
userPassword: secret






From: Anne Gentle [mailto:annegentle at justwriteclick.com]
Sent: Friday, September 06, 2013 2:36 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] OpenLdap for Keystone

I would lov

On Thu, Sep 5, 2013 at 2:57 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
Thanks Dean. I was able to combine sections of each script to make one that installs OpenLdap for Keystone.


I would love to have a write up for the docs -- write it on the back of an envelope, napkin, or your favorite web bits and we'll incorporate it.

Thanks,
Anne

Mark

From: Dean Troyer [mailto:dtroyer at gmail.com<mailto:dtroyer at gmail.com>]
Sent: Thursday, September 05, 2013 9:45 AM

To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] OpenLdap for Keystone

On Thu, Sep 5, 2013 at 11:18 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
Thanks Brad for the pointer. Is there any way to just install the OpenLdap piece and not the entire OpenStack?

You can install a Keystone-only DevStack, but I suspect you just want the OpenLDAP bits...if that is the case look in lib/keystone[1] and lib/ldap[2] for the steps DevStack takes to perform the installation.  The configure_keystone()[3] function has all of the bits to configure Keystone.

dt

[1] https://github.com/openstack-dev/devstack/blob/master/lib/keystone
[2] https://github.com/openstack-dev/devstack/blob/master/lib/ldap
[3] https://github.com/openstack-dev/devstack/blob/master/lib/keystone#L102

--

Dean Troyer
dtroyer at gmail.com<mailto:dtroyer at gmail.com>

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



--
Anne Gentle
annegentle at justwriteclick.com<mailto:annegentle at justwriteclick.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130906/e7c4db45/attachment.html>


More information about the OpenStack-dev mailing list