Difference between revisions of "HowtoIntegrateKeystonewithAD"
(talk) |
|||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
| − | + | <!-- ## page was renamed from [[HowtointegrateKeystonewithad]] --> | |
| + | Table of contents: <<[[TableOfContents]]()>> | ||
| − | + | = How to Integrate Keystone with Active Directory = | |
| + | This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module. | ||
| − | == | + | == Sample information stored on Active Directory == |
| + | There are 3 different trees for each identity type on the AD configuration | ||
Windows 2008 schema (includes services for unix) | Windows 2008 schema (includes services for unix) | ||
| + | |||
| + | |||
| + | <pre><nowiki> | ||
Users (OU=Users) | Users (OU=Users) | ||
| − | + | AdminUser | |
| − | @id | + | @id |
| − | @name | + | @name |
| − | @mail | + | @mail |
| − | + | DemoUser | |
| − | @id | + | @id |
| − | @name | + | @name |
| − | @mail | + | @mail |
| − | Tenants(OU=Tenants) | + | |
| − | + | Tenants (OU=Tenants) | |
| − | @id | + | DemoTenant |
| − | @name | + | @id |
| − | @description | + | @name |
| − | member( | + | @description |
| − | + | member(AdminUser,DemoUser) | |
| − | roleOccupant( | + | AdminRole |
| − | + | roleOccupant(AdminUser) | |
| − | roleOccupant( | + | MemberRole |
| − | Roles(OU=Roles) | + | roleOccupant(DemoUser) |
| − | + | ||
| − | @id | + | Roles (OU=Roles) |
| − | @name | + | AdminRole |
| − | + | @id | |
| − | @id | + | @name |
| − | @name | + | |
| + | MemberRole | ||
| + | @id | ||
| + | @name | ||
| + | </nowiki></pre> | ||
| + | |||
| + | == Configuration on Active Directory == | ||
| + | You need to change the configuration on ''organizationalRole'' to allow ''groupOfNames'' as a possible superior | ||
| + | |||
| + | Requirements | ||
| + | |||
| + | * User that modifies the configuration setting of the schema needs to in the group Schema Administrators | ||
| + | * The user needs to modify the configuration on AD Schema Master | ||
| + | |||
| + | Procedure | ||
| + | |||
| + | # In ADSI Edit go to schema | ||
| + | # Open CN=Organizational-Role | ||
| + | # In attribute editor edit possSuperiors | ||
| + | # Add groupOfNames in the values and click OK | ||
| + | |||
| + | == Configuration on Keystone == | ||
| + | There is some configuration that needs to be done on keystone side | ||
| + | |||
| + | '''Example 1.1. Configuration for LDAP backend ''' | ||
| + | |||
| + | |||
| + | <pre><nowiki> | ||
| + | ... | ||
| + | [ldap] | ||
| + | url = ldap://dc.example.com | ||
| + | user = CN=ldap,OU=Users,DC=example,DC=com | ||
| + | password = verybadpass | ||
| + | suffix = DC=example,DC=com | ||
| + | use_dumb_member = True | ||
| + | dumb_member = CN=ldap,OU=Users,DC=example,DC=com | ||
| + | |||
| + | user_tree_dn = OU=Users,DC=example,DC=com | ||
| + | user_objectclass = person | ||
| + | user_filter = | ||
| + | user_id_attribute = cn | ||
| + | user_name_attribute = cn | ||
| + | user_mail_attribute = mail | ||
| + | user_attribute_ignore = password,tenant_id,enabled,tenants | ||
| + | user_allow_create = False | ||
| + | user_allow_update = False | ||
| + | user_allow_delete = False | ||
| − | == | + | tenant_tree_dn = OU=Tenants,DC=example,DC=com |
| + | tenant_filter = | ||
| + | tenant_objectclass = groupOfNames | ||
| + | tenant_id_attribute = cn | ||
| + | tenant_member_attribute = member | ||
| + | tenant_name_attribute = ou | ||
| + | tenant_desc_attribute = description | ||
| + | tenant_attribute_ignore = enabled | ||
| + | tenant_allow_create = True | ||
| + | tenant_allow_update = True | ||
| + | tenant_allow_delete = True | ||
| − | + | role_tree_dn = OU=Roles,DC=example,DC=com | |
| − | + | role_filter = | |
| − | + | role_objectclass = organizationalRole | |
| − | + | role_id_attribute = cn | |
| + | role_name_attribute = ou | ||
| + | role_member_attribute = roleOccupant | ||
| + | role_attribute_ignore = | ||
| + | role_allow_create = True | ||
| + | role_allow_update = True | ||
| + | role_allow_delete = True | ||
| + | ... | ||
| + | [identity] | ||
| + | driver = keystone.identity.backends.ldap.Identity | ||
| + | ... | ||
| + | </nowiki></pre> | ||
Revision as of 09:01, 9 October 2012
Table of contents: <<TableOfContents()>>
How to Integrate Keystone with Active Directory
This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.
Sample information stored on Active Directory
There are 3 different trees for each identity type on the AD configuration
Windows 2008 schema (includes services for unix)
Users (OU=Users)
AdminUser
@id
@name
@mail
DemoUser
@id
@name
@mail
Tenants (OU=Tenants)
DemoTenant
@id
@name
@description
member(AdminUser,DemoUser)
AdminRole
roleOccupant(AdminUser)
MemberRole
roleOccupant(DemoUser)
Roles (OU=Roles)
AdminRole
@id
@name
MemberRole
@id
@name
Configuration on Active Directory
You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior
Requirements
- User that modifies the configuration setting of the schema needs to in the group Schema Administrators
- The user needs to modify the configuration on AD Schema Master
Procedure
- In ADSI Edit go to schema
- Open CN=Organizational-Role
- In attribute editor edit possSuperiors
- Add groupOfNames in the values and click OK
Configuration on Keystone
There is some configuration that needs to be done on keystone side
Example 1.1. Configuration for LDAP backend
... [ldap] url = ldap://dc.example.com user = CN=ldap,OU=Users,DC=example,DC=com password = verybadpass suffix = DC=example,DC=com use_dumb_member = True dumb_member = CN=ldap,OU=Users,DC=example,DC=com user_tree_dn = OU=Users,DC=example,DC=com user_objectclass = person user_filter = user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_attribute_ignore = password,tenant_id,enabled,tenants user_allow_create = False user_allow_update = False user_allow_delete = False tenant_tree_dn = OU=Tenants,DC=example,DC=com tenant_filter = tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_attribute_ignore = enabled tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True role_tree_dn = OU=Roles,DC=example,DC=com role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True ... [identity] driver = keystone.identity.backends.ldap.Identity ...