HowtoIntegrateKeystonewithAD

Table of contents:

= How to Integrate Keystone with Active Directory = This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.

Sample information stored on Active Directory
There are 3 different trees for each identity type on the AD configuration

Windows 2008 schema (includes services for unix)

Users (OU=Users) AdminUser @id @name @mail DemoUser @id @name @mail

Tenants (OU=Tenants) DemoTenant @id @name @description member(AdminUser,DemoUser) AdminRole roleOccupant(AdminUser) MemberRole roleOccupant(DemoUser)

Roles (OU=Roles) AdminRole @id @name

MemberRole @id @name

Configuration on Active Directory
You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior

Requirements


 * User that modifies the configuration setting of the schema needs to in the group Schema Administrators
 * The user needs to modify the configuration on AD Schema Master

Procedure


 * 1) In ADSI Edit go to schema
 * 2) Open CN=Organizational-Role
 * 3) In attribute editor edit possSuperiors
 * 4) Add groupOfNames in the values and click OK

Configuration on Keystone
There is some configuration that needs to be done on keystone side

'''Example 1.1. Configuration for LDAP backend '''

... [ldap] url                     = ldap://dc.example.com user                    = CN=ldap,OU=Users,DC=example,DC=com password                = verybadpass suffix                  = DC=example,DC=com use_dumb_member         = True dumb_member             = CN=ldap,OU=Users,DC=example,DC=com

user_tree_dn            = OU=Users,DC=example,DC=com user_objectclass        = person user_filter             = user_id_attribute       = cn  user_name_attribute      = cn  user_mail_attribute      = mail user_pass_attribute     = user_enabled_attribute  = userAccountControl user_enabled_mask       = 2 user_enabled_default    = 512 user_attribute_ignore   = password,tenant_id,tenants user_allow_create       = False user_allow_update       = False user_allow_delete       = False

tenant_tree_dn          = OU=Tenants,DC=example,DC=com tenant_filter           = tenant_objectclass      = groupOfNames tenant_id_attribute     = cn  tenant_member_attribute  = member tenant_name_attribute   = ou  tenant_desc_attribute    = description tenant_enabled_attribute = extensionName tenant_attribute_ignore = tenant_allow_create     = True tenant_allow_update     = True tenant_allow_delete     = True

role_tree_dn            = OU=Roles,DC=example,DC=com role_filter             = role_objectclass        = organizationalRole role_id_attribute       = cn  role_name_attribute      = ou  role_member_attribute    = roleOccupant role_attribute_ignore   = role_allow_create       = True role_allow_update       = True role_allow_delete       = True ... [identity] driver = keystone.identity.backends.ldap.Identity ...