[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Alexander Makarov amakarov at mirantis.com
Tue Aug 2 15:46:31 UTC 2016


Sean,

the problem may be in the following: in Mitaka release keystone requires 
user to have a role in the domain it's getting authZ'ing in. We ran into 
the problem when Horizon tried to authZ user in Default domain and got 
the same error.


On 02.08.2016 16:25, Sean.Boran at swisscom.com wrote:
> Hi,
>
> I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
> The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.
>
> What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
> On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)
>
> Problems when testing with horizon:
> - Login via ldap fails on authorization
> - If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
> This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)
>
> The /etc/keystone/domains/keystone.example.com is as follows.
>
> [ldap]
> user_enabled_attribute=userAccountControl
> query_scope=sub
> user_filter=
> group_allow_delete=False
> page_size=0
> use_tls=False
> password=NOT_HERE
> user_allow_update=False
> user_id_attribute=cn
> user_enabled_mask=2
> suffix= dc=example,dc=com
> user_enabled_default=512
> group_allow_update=False
> user_name_attribute=sAMAccountName
> chase_referrals=False
> group_allow_create=False
> user_allow_delete=False
>
> group_name_attribute=cn
> group_filter=
> group_member_attribute=member
> group_tree_dn=dc=example,dc=com
> group_objectclass = group
> group_desc_attribute=
> group_id_attribute=
>
> user_pass_attribute=userPassword
> user=cn=my-service-user
> user_allow_create=False
> user_tree_dn=dc=example,dc=com
> url=ldap://ldap.example.com
> user_objectclass=person
>
> [identity]
> driver=keystone.identity.backends.ldap.Identity
>
> Debugging for ldap was enabled to see the ldap bins/queries being sent out.
>
> Versions:
> keystone –version shows 2.3
> Mikata (with initial install done by Fuel).
>
> Resources consulted so far:
> http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
> http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
> Book: openstack production recipies.
> Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.
>
> Questions:
> - Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
> - Or tips on he above?
> - How can one assign users from LDAP to the _members_ or admin groups to get started?
>
> Thanks in advance,
>
> Sean
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





More information about the Openstack mailing list