[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean.Boran at swisscom.com Sean.Boran at swisscom.com
Tue Aug 2 13:25:24 UTC 2016


Hi,

I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.

What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)

Problems when testing with horizon:
- Login via ldap fails on authorization
- If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)

The /etc/keystone/domains/keystone.example.com is as follows.

[ldap]
user_enabled_attribute=userAccountControl
query_scope=sub
user_filter=
group_allow_delete=False
page_size=0
use_tls=False
password=NOT_HERE
user_allow_update=False
user_id_attribute=cn
user_enabled_mask=2
suffix= dc=example,dc=com
user_enabled_default=512
group_allow_update=False
user_name_attribute=sAMAccountName
chase_referrals=False
group_allow_create=False
user_allow_delete=False

group_name_attribute=cn
group_filter=
group_member_attribute=member
group_tree_dn=dc=example,dc=com
group_objectclass = group
group_desc_attribute=
group_id_attribute=

user_pass_attribute=userPassword
user=cn=my-service-user
user_allow_create=False
user_tree_dn=dc=example,dc=com
url=ldap://ldap.example.com
user_objectclass=person

[identity]
driver=keystone.identity.backends.ldap.Identity

Debugging for ldap was enabled to see the ldap bins/queries being sent out.

Versions:
keystone –version shows 2.3
Mikata (with initial install done by Fuel).

Resources consulted so far:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider 
http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html 
Book: openstack production recipies.
Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.

Questions:
- Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
- Or tips on he above?
- How can one assign users from LDAP to the _members_ or admin groups to get started?

Thanks in advance,

Sean 



More information about the Openstack mailing list