To configure LDAP integration with Keystone server in MCP,
you must create a separate file for this definition
in your cluster model. In this section, the ldap.yml file is used
as an example.
You must also set up the rights mapping for users and groups.
If required, you can also specify filtering.
To configure LDAP with Keystone server:
In your Git project repository, open the
cluster/<cluster_name>/openstack/ directory of your cluster model.
In this directory, create the ldap.yml file.
Create a configuration for the LDAP integration in the ldap.yml file.
Example:
parameters:
keystone:
server:
service_name: apache2
domain:
example.com:
description: ""
backend: ldap
identity:
driver: ldap
assignment:
backend: sql
ldap:
url: ldap://<LDAP ADDRESS>
bind_user: CN=<UserName>,OU=<OU-name>,DC=<DomainName>,DC=<DomainExtension>
query_scope: sub
page_size: 1000
password: <LDAP PASSWORD>
suffix: DC=<DomainName>,DC=<DomainExtension>
user_tree_dn: DC=<DomainName>,DC=<DomainExtension>
group_tree_dn: DC=<DomainName>,DC=<DomainExtension>
user_objectclass: person
user_id_attribute: sAMAccountName
user_name_attribute: sAMAccountName
user_pass_attribute: userPassword
user_enabled_attribute: userAccountControl
user_mail_attribute: mail
group_objectclass: ""
group_id_attribute: sAMAccountName
group_name_attribute: cn
group_member_attribute: member
group_desc_attribute: cn
filter:
user: "(&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))"
group: ""
Optional. Configure the TLS encryption on LDAP traffic as follows:
parameters:
keystone:
domain:
example.com:
ldap:
url: ldaps://<LDAP ADDRESS>
tls:
enabled: True
req_cert: demand|allow|never
cacert: |
----BEGIN CERTIFICATE----
...
----END CERTIFICATE----
Note
The req_cert configuration key specifies the client
certificate checks to be performed on incoming TLS sessions from
the LDAP server. The possible values for req_cert include:
demandThe LDAP server always receives certificate requests. If no certificate is provided or the provided certificate cannot be verified against the existing certificate authorities file, the session terminates.
allowThe LDAP server always receives certificate requests. If no certificate is provided or the provided certificate cannot be verified against the existing certificate authorities file, the session proceeds as normal.
neverA certificate is never requested.
For details, see the Integrate Identity with LDAP section in the upstream Keystone Administrator Guide.
In cluster/<cluster_name>/openstack/control.yml, include the previously
created class to the bottom of the classes section:
classes:
...
cluster.<cluster_name>.openstack.ldap
cluster.<cluster_name>
parameters:
...
Add parameters for Horizon to
cluster/<cluster_name>/openstack/proxy.yml:
parameters:
horizon:
server:
multidomain: true
Enforce the Keystone update:
salt -C 'I@keystone:server' state.sls keystone -b 1
salt -C 'I@horizon:server' state.sls horizon
Verify the LDAP integration:
source /root/keystonercv3
openstack user list --domain <your_domain>
Grant the admin role to a specific user:
Obtain the user ID:
openstack user list --domain <your_domain> | grep <user_name>
| <user_id> | <user_name> |
Set the admin role:
openstack role add --user <user_id> admin --domain <your_domain>