Difference between revisions of "HowtoIntegrateKeystonewithAD"
Line 68: | Line 68: | ||
... | ... | ||
[ldap] | [ldap] | ||
− | url | + | url = ldap://dc.example.com |
− | user | + | user = CN=ldap,OU=Users,DC=example,DC=com |
− | password | + | password = verybadpass |
− | suffix | + | suffix = DC=example,DC=com |
− | use_dumb_member | + | use_dumb_member = True |
− | dumb_member | + | dumb_member = CN=ldap,OU=Users,DC=example,DC=com |
− | user_tree_dn | + | user_tree_dn = OU=Users,DC=example,DC=com |
− | user_objectclass | + | user_objectclass = person |
− | user_filter | + | user_filter = |
− | user_id_attribute | + | user_id_attribute = cn |
− | user_name_attribute | + | user_name_attribute = cn |
− | user_mail_attribute = | + | user_mail_attribute = mail |
− | user_attribute_ignore | + | user_pass_attribute = |
− | user_allow_create | + | user_enabled_attribute = userAccountControl |
− | user_allow_update | + | user_enabled_mask = 2 |
− | user_allow_delete | + | user_enabled_default = 512 |
+ | user_attribute_ignore = password,tenant_id,tenants | ||
+ | user_allow_create = False | ||
+ | user_allow_update = False | ||
+ | user_allow_delete = False | ||
− | tenant_tree_dn | + | tenant_tree_dn = OU=Tenants,DC=example,DC=com |
− | tenant_filter | + | tenant_filter = |
− | tenant_objectclass | + | tenant_objectclass = groupOfNames |
− | tenant_id_attribute | + | tenant_id_attribute = cn |
− | tenant_member_attribute = member | + | tenant_member_attribute = member |
− | tenant_name_attribute | + | tenant_name_attribute = ou |
− | tenant_desc_attribute = | + | tenant_desc_attribute = description |
− | tenant_attribute_ignore = | + | tenant_enabled_attribute = extensionName |
− | tenant_allow_create | + | tenant_attribute_ignore = |
− | tenant_allow_update | + | tenant_allow_create = True |
− | tenant_allow_delete | + | tenant_allow_update = True |
+ | tenant_allow_delete = True | ||
− | role_tree_dn | + | role_tree_dn = OU=Roles,DC=example,DC=com |
− | role_filter | + | role_filter = |
− | role_objectclass | + | role_objectclass = organizationalRole |
− | role_id_attribute | + | role_id_attribute = cn |
− | role_name_attribute | + | role_name_attribute = ou |
− | role_member_attribute | + | role_member_attribute = roleOccupant |
− | role_attribute_ignore | + | role_attribute_ignore = |
− | role_allow_create | + | role_allow_create = True |
− | role_allow_update | + | role_allow_update = True |
− | role_allow_delete | + | role_allow_delete = True |
... | ... | ||
[identity] | [identity] |
Revision as of 12:38, 1 November 2012
Table of contents: <<TableOfContents()>>
How to Integrate Keystone with Active Directory
This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.
Sample information stored on Active Directory
There are 3 different trees for each identity type on the AD configuration
Windows 2008 schema (includes services for unix)
Users (OU=Users) AdminUser @id @name @mail DemoUser @id @name @mail Tenants (OU=Tenants) DemoTenant @id @name @description member(AdminUser,DemoUser) AdminRole roleOccupant(AdminUser) MemberRole roleOccupant(DemoUser) Roles (OU=Roles) AdminRole @id @name MemberRole @id @name
Configuration on Active Directory
You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior
Requirements
- User that modifies the configuration setting of the schema needs to in the group Schema Administrators
- The user needs to modify the configuration on AD Schema Master
Procedure
- In ADSI Edit go to schema
- Open CN=Organizational-Role
- In attribute editor edit possSuperiors
- Add groupOfNames in the values and click OK
Configuration on Keystone
There is some configuration that needs to be done on keystone side
Example 1.1. Configuration for LDAP backend
... [ldap] url = ldap://dc.example.com user = CN=ldap,OU=Users,DC=example,DC=com password = verybadpass suffix = DC=example,DC=com use_dumb_member = True dumb_member = CN=ldap,OU=Users,DC=example,DC=com user_tree_dn = OU=Users,DC=example,DC=com user_objectclass = person user_filter = user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = False user_allow_update = False user_allow_delete = False tenant_tree_dn = OU=Tenants,DC=example,DC=com tenant_filter = tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_enabled_attribute = extensionName tenant_attribute_ignore = tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True role_tree_dn = OU=Roles,DC=example,DC=com role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True ... [identity] driver = keystone.identity.backends.ldap.Identity ...