[Openstack] Help with keystone LDAP backend

Steven Presser spresse1 at jhu.edu
Sun Mar 3 18:05:33 UTC 2013


Hey all,
     I have some questions about using the LDAP backend for keystone.  
I'm in what seems to be an odd situation.  I have an organization-wide 
DLAP directory that already exists.  All of our users will have access 
to OpenStack, so we want to tie directly into this directory.  However, 
we can't have service accounts mixed in with the regular users, at least 
not in any way that might result in you being able to log in to a 
service account.  For neatness, the directory admin would prefer that 
all the OpenStack stuff be off in its own OU (and has allocated us one 
so we can do that).
     In that OU, I've set up the recommended schema from 
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html 
(changing it to my domain, obviously).  I then aliased all our users in 
to ou=Users.  The relevant part of my keystone.conf currently looks like:

[ldap]
url = ldap://[host]
user = cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu
password = [password]
suffix = dc=acm,dc=jhu,dc=edu
use_dumb_member = False
allow_subtree_delete = False
query_scope = sub

As near as I can tell, this should correspond to this query:
$ ldapsearch -x  -D cn=admin,ou=OpenStack,dc=acm,dc=jhu,dc=edu -w 
[password]  -b dc=acm,dc=jhu,dc=edu '(objectclass=inetOrgPerson)' -s sub

Which returns my aliased users correctly.  (that is, it returns "dn: 
uid=[uid],ou=People,dc=acm,dc=jhu,dc=edu" for each user).

I really can't figure out whats going on here.  Logically, this should 
work, but (obviously) doesn't.  Anyone have some advice for me?   My 
suspicion is that query_scope=sub isn't doing what I expect.  (Returning 
search results from within a subtree)

Oh, finally, I have DEREF always enabled in ldap.conf.

Thanks,
Steve






More information about the Openstack mailing list