OpenLDAP

Setting up LDAP for use with Keystone
The Keystone Identity provider can work with OpenLDAP as well as with SQL to provider backing for Users, Tenants, and Roles. Here are the steps to setting up OpenLDAP to work with Keystone.

Fedora
I performed these steps on Fedora 16.

First, install the OpenLDAP server pacakes:

sudo yum install openldap-servers-2.4.26-6.fc16.x86_64 sudo service slapd start

Decide on a root password and hash it by running:

Now create a file named manager.ldif like this, but change the olcSuffix and olcRootDN to reflect your organization. Use the output of the above slappasswd command to modify the olcRootPW entry below.

dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=openstack,dc=org - replace: olcRootDN olcRootDN: dc=Manager,dc=openstack,dc=org - add: olcRootPW olcRootPW: {SSHA}lBDIdfwvZkITal0k9tdhiCUolxpf6anu

Now configure your Open LDAP server by running:

To initialize the OpenLDAP Data store with the Scheme necessary Keystone, you will need a script. While OpenLDAP can use a schema file, complete with variable substitution, other LDAP servers cannot. The program below should generate an LDIF formatted file which you can use to import the schema.

""" """
 * 1) !/usr/bin/python

if sys.argv.__len__ < 3: usage = """ USAGE: {0} subtree organization

{0} Generates an LDIF file that can then be added to a Directory server via the ldapadd command. The Schema is in the format expected by the LDAP Identity Driver in Keystone """   print usage.format(sys.argv[0])    sys.exit(1)

subtree=sys.argv[1] organization=sys.argv[2] ldif_file=""" dn: {0} dc: {1} objectClass: dcObject objectClass: organizationalUnit ou: {1}

dn: ou=Groups,{0} objectClass: top objectClass: organizationalUnit ou: groups

dn: ou=Users,{0} objectClass: top objectClass: organizationalUnit ou: users

dn: ou=Roles,{0} objectClass: top objectClass: organizationalUnit ou: roles """

print ldif_file.format(subtree,organization)

You can run it like this:

./keystone_ldap_schema.py cn=openstack,cn=org openstack > /tmp/openstack_schema.ldif xldapadd -x -D "dc=Manager,dc=younglogic,dc=com" -H ldap://localhost -w password  /tmp/keystone_ldap_schema.ldif

Ubuntu
The setup on Ubuntu is somewhat different. This was done on Ubuntu 11.10

(prompts for admin password)

set Domain Name to openstack.org Set organization to openstack

test with:

Next create and edit /tmp/openstack.ldif with the following:

dn: dc=openstack,dc=org dc: openstack objectClass: dcObject objectClass: organizationalUnit ou: openstack

dn: ou=Groups,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: groups

dn: ou=Users,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: users

dn: ou=Roles,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: roles

Then add that file to ldap by issuing the following command: