Configure LDAP with Keystone server

Configure LDAP with Keystone server

To configure LDAP integration with Keystone server in MCP, you must create a separate file for this definition in your cluster model. In this section, the ldap.yml file is used as an example. You must also set up the rights mapping for users and groups. If required, you can also specify filtering.

To configure LDAP with Keystone server:

  1. In your Git project repository, open the cluster/<cluster_name>/openstack/ directory of your cluster model.

  2. In this directory, create the ldap.yml file.

  3. Create a configuration for the LDAP integration in the ldap.yml file.

    Example:

    parameters:
      keystone:
        server:
          service_name: apache2
          domain:
            example.com:
              description: ""
              backend: ldap
              identity:
                driver: ldap
              assignment:
                backend: sql
              ldap:
                url: ldap://<LDAP ADDRESS>
                bind_user: CN=<UserName>,OU=<OU-name>,DC=<DomainName>,DC=<DomainExtension>
                query_scope: sub
                page_size: 1000
                password: <LDAP PASSWORD>
                suffix: DC=<DomainName>,DC=<DomainExtension>
                user_tree_dn: DC=<DomainName>,DC=<DomainExtension>
                group_tree_dn: DC=<DomainName>,DC=<DomainExtension>
                user_objectclass: person
                user_id_attribute: sAMAccountName
                user_name_attribute: sAMAccountName
                user_pass_attribute: userPassword
                user_enabled_attribute: userAccountControl
                user_mail_attribute: mail
                group_objectclass: ""
                group_id_attribute: sAMAccountName
                group_name_attribute: cn
                group_member_attribute: member
                group_desc_attribute: cn
                filter:
                  user: "(&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))"
                  group: ""
    
  4. Optional. Configure the TLS encryption on LDAP traffic as follows:

    parameters:
      keystone:
        domain:
          example.com:
            ldap:
              url: ldaps://<LDAP ADDRESS>
              tls:
                enabled: True
                req_cert: demand|allow|never
                cacert: |
                  ----BEGIN CERTIFICATE----
                  ...
                  ----END CERTIFICATE----
    

    Note

    The req_cert configuration key specifies the client certificate checks to be performed on incoming TLS sessions from the LDAP server. The possible values for req_cert include:

    • demand

      The LDAP server always receives certificate requests. If no certificate is provided or the provided certificate cannot be verified against the existing certificate authorities file, the session terminates.

    • allow

      The LDAP server always receives certificate requests. If no certificate is provided or the provided certificate cannot be verified against the existing certificate authorities file, the session proceeds as normal.

    • never

      A certificate is never requested.

    For details, see the Integrate Identity with LDAP section in the upstream Keystone Administrator Guide.

  5. In cluster/<cluster_name>/openstack/control.yml, include the previously created class to the bottom of the classes section:

    classes:
      ...
      cluster.<cluster_name>.openstack.ldap
      cluster.<cluster_name>
    parameters:
      ...
    
  6. Add parameters for Horizon to cluster/<cluster_name>/openstack/proxy.yml:

    parameters:
      horizon:
        server:
          multidomain: true
    
  7. Enforce the Keystone update:

    salt -C 'I@keystone:server' state.sls keystone -b 1
    salt -C 'I@horizon:server' state.sls horizon
    
  8. Verify the LDAP integration:

    source /root/keystonercv3
    openstack user list --domain <your_domain>
    
  9. Grant the admin role to a specific user:

    1. Obtain the user ID:

      openstack user list --domain <your_domain> | grep <user_name>
      | <user_id> | <user_name>  |
      
    2. Set the admin role:

      openstack role add --user <user_id> admin --domain <your_domain>