[openstack-dev] Keystone Split Backend LDAP Problem (LDAPS)
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Tue Aug 6 21:34:07 UTC 2013
The current keystone code already has this functionality, however it is only provided for tls configurations and not ldaps. By the way, I am connecting to the HP Enterprise Directory.
class LdapWrapper(object):
def __init__(self, url, page_size, alias_dereferencing=None,
use_tls=False, tls_cacertfile=None, tls_cacertdir=None,
tls_req_cert='demand'):
LOG.debug(_("LDAP init: url=%s"), url)
LOG.debug(_('LDAP init: use_tls=%(use_tls)s\n'
'tls_cacertfile=%(tls_cacertfile)s\n'
'tls_cacertdir=%(tls_cacertdir)s\n'
'tls_req_cert=%(tls_req_cert)s\n'
'tls_avail=%(tls_avail)s\n') %
{'use_tls': use_tls,
'tls_cacertfile': tls_cacertfile,
'tls_cacertdir': tls_cacertdir,
'tls_req_cert': tls_req_cert,
'tls_avail': ldap.TLS_AVAIL
})
#NOTE(topol)
#for extra debugging uncomment the following line
#ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
using_ldaps = url.lower().startswith("ldaps")
if use_tls and using_ldaps:
raise AssertionError(_('Invalid TLS / LDAPS combination'))
if use_tls:
if not ldap.TLS_AVAIL:
raise ValueError(_('Invalid LDAP TLS_AVAIL option: %s. TLS '
'not available') % ldap.TLS_AVAIL)
if tls_cacertfile:
#NOTE(topol)
#python ldap TLS does not verify CACERTFILE or CACERTDIR
#so we add some extra simple sanity check verification
#Also, setting these values globally (i.e. on the ldap object)
#works but these values are ignored when setting them on the
#connection
if not os.path.isfile(tls_cacertfile):
raise IOError(_("tls_cacertfile %s not found "
"or is not a file") %
tls_cacertfile)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
elif tls_cacertdir:
#NOTE(topol)
#python ldap TLS does not verify CACERTFILE or CACERTDIR
#so we add some extra simple sanity check verification
#Also, setting these values globally (i.e. on the ldap object)
#works but these values are ignored when setting them on the
#connection
if not os.path.isdir(tls_cacertdir):
raise IOError(_("tls_cacertdir %s not found "
"or is not a directory") %
tls_cacertdir)
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, tls_cacertdir)
if tls_req_cert in LDAP_TLS_CERTS.values():
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, tls_req_cert)
else:
LOG.debug(_("LDAP TLS: invalid TLS_REQUIRE_CERT Option=%s"),
tls_req_cert)
self.conn = ldap.initialize(url)
self.conn.protocol_version = ldap.VERSION3
if alias_dereferencing is not None:
self.conn.set_option(ldap.OPT_DEREF, alias_dereferencing)
self.page_size = page_size
if use_tls:
self.conn.start_tls_s()
From: Adam Young [mailto:ayoung at redhat.com]
Sent: Tuesday, August 06, 2013 2:09 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Cc: OpenStack Development Mailing List; Dolph Mathews (dolph.mathews at gmail.com); Yee, Guang
Subject: Re: Keystone Split Backend LDAP Problem (LDAPS)
On 08/06/2013 05:02 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote:
Next problem:
I am using ldaps to connect to the LDAP server. Although I am not using TLS, I do need to set/use the ldap.OPT_X_TLS_CERTFILE option. However, the current has no way to let me do this so I have added an if statement in the following code to temporarily get around this issue (file keystone/common/ldap/core.py). This may not be the best place/way to fix my problem. Please let me know if I need to use some other configuration parameters in keystone.conf or if I have found a bug.
This looks like Windows. I thought that implied TLS.
However, there is a certfile parameter on the LDAP backend already, just for TLS. LDAP.tls_cacertfile
I think it will be OK to conditionally set the options based on the presence of this variable in the LDAPS code path:
if CONF.LDAP.tls_cacertfile:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CONF.LDAP.tls_cacertfile )
Similar Python sample code:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "d:/etc/ssl/certs/hpca2ssG2_ns.cer")
# ldap.set_option( ldap.OPT_DEBUG_LEVEL, 255 )
ldap_client = ldap.initialize(host)
ldap_client.protocol_version = ldap.VERSION3
ldap_client.simple_bind_s(binduser,bindpw)
ldapBound = True
filter = '(uid=mark.m*)'
attrs = ['cn', 'mail', 'uid', 'hpStatus']
print ("base: %s, scope: %s, filter: %s, attrs:%s" % (base, scope, filter, attrs))
r = ldap_client.search_s(base, scope, filter, attrs)
Mark
[cid:image001.png at 01CE92B1.9E60E520]
From: Adam Young [mailto:ayoung at redhat.com]
Sent: Monday, August 05, 2013 5:32 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Cc: OpenStack Development Mailing List; Dolph Mathews (dolph.mathews at gmail.com<mailto:dolph.mathews at gmail.com>); Yee, Guang
Subject: Re: Keystone Split Backend LDAP Question
On 08/05/2013 07:37 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote:
I have been inserting debug logging and stack traces into the code base to help find out what is and is not happening.
· I am able to connect the LDAP backend to our Enterprise Directory and perform a REST “get an unscoped token” from keystone. Following is the result:
· Connection →keep-alive
· Content-Length →259
· Content-Type →application/json
· Date →Fri, 26 Jul 2013 21:49:16 GMT
· Vary →X-Auth-Token
· X-Subject-Token →cae95a17517245798acb17c47b8eb74b
{
"token": {
"issued_at": "2013-07-26T21:49:16.951821Z",
"extras": {},
"methods": [
"password"
],
"expires_at": "2045-04-03T19:49:16.951738Z",
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "mark.m.miller at hp.com"<mailto:mark.m.miller at hp.com>,
"name": "mark.m.miller at hp.com"<mailto:mark.m.miller at hp.com>
}
}
}
· When I attempt to assign a role to the user:
Ø keystone user-role-add --user "mark.m.miller at hp.com"<mailto:mark.m.miller at hp.com> --role-id 7fb862d10b5c46679b4334eae9c73a46 --tenant-id 9798b027472d4f459d231c005977b3ac
The “identity/controllers/get_users()” method is called instead of the “get_user_by_name()” method.
Opened a bug for this.
https://bugs.launchpad.net/keystone/+bug/1208653
Does anyone know why or how to fix this or if what I am trying to do even works?
Regards,
Mark Miller
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Friday, August 02, 2013 4:00 PM
To: OpenStack Development Mailing List; Adam Young (ayoung at redhat.com<mailto:ayoung at redhat.com>); Dolph Mathews (dolph.mathews at gmail.com<mailto:dolph.mathews at gmail.com>); Yee, Guang
Subject: Re: [openstack-dev] Keystone Split Backend LDAP Question
Hello,
With some minor tweaking of the keystone common/ldap/core.py file, I have been able to authenticate and get an unscoped token for a user from an LDAP Enterprise Directory. I want to continue testing but I have some questions that need to be answered before I can continue.
1. Do I need to add the user from the LDAP server to the Keystone SQL database or will the H-2 code search the LDAP server?
2. When I performed a “keystone user-list” the following log file entries were written indicating that keystone was attempting to get all the users on the massive Enterprise Directory. How do we limit this query to just the one user or group of users we are interested in?
2013-07-23 14:04:31 DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] In get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] MY query in _ldap_get_all: (&)
2013-07-23 14:04:32 DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=People,o=hp.com, scope=2, query=(&), attrs=['businessCategory', 'userPassword', 'hpStatus', 'mail', 'uid']
3. Next I want to acquire a scoped token. How do I assign the LDAP user to a local project?
Regards,
Mark Miller
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130806/0470240f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 275346 bytes
Desc: image001.png
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130806/0470240f/attachment-0001.png>
More information about the OpenStack-dev
mailing list