Difference between revisions of "HowtoIntegrateKeystonewithAD"
(talk) |
|||
Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
− | + | <!-- ## page was renamed from [[HowtointegrateKeystonewithad]] --> | |
+ | Table of contents: <<[[TableOfContents]]()>> | ||
− | + | = How to Integrate Keystone with Active Directory = | |
+ | This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module. | ||
− | == | + | == Sample information stored on Active Directory == |
+ | There are 3 different trees for each identity type on the AD configuration | ||
Windows 2008 schema (includes services for unix) | Windows 2008 schema (includes services for unix) | ||
+ | |||
+ | |||
+ | <pre><nowiki> | ||
Users (OU=Users) | Users (OU=Users) | ||
− | + | AdminUser | |
− | @id | + | @id |
− | @name | + | @name |
− | @mail | + | @mail |
− | + | DemoUser | |
− | @id | + | @id |
− | @name | + | @name |
− | @mail | + | @mail |
− | Tenants(OU=Tenants) | + | |
− | + | Tenants (OU=Tenants) | |
− | @id | + | DemoTenant |
− | @name | + | @id |
− | @description | + | @name |
− | member( | + | @description |
− | + | member(AdminUser,DemoUser) | |
− | roleOccupant( | + | AdminRole |
− | + | roleOccupant(AdminUser) | |
− | roleOccupant( | + | MemberRole |
− | Roles(OU=Roles) | + | roleOccupant(DemoUser) |
− | + | ||
− | @id | + | Roles (OU=Roles) |
− | @name | + | AdminRole |
− | + | @id | |
− | @id | + | @name |
− | @name | + | |
+ | MemberRole | ||
+ | @id | ||
+ | @name | ||
+ | </nowiki></pre> | ||
+ | |||
+ | == Configuration on Active Directory == | ||
+ | You need to change the configuration on ''organizationalRole'' to allow ''groupOfNames'' as a possible superior | ||
+ | |||
+ | Requirements | ||
+ | |||
+ | * User that modifies the configuration setting of the schema needs to in the group Schema Administrators | ||
+ | * The user needs to modify the configuration on AD Schema Master | ||
+ | |||
+ | Procedure | ||
+ | |||
+ | # In ADSI Edit go to schema | ||
+ | # Open CN=Organizational-Role | ||
+ | # In attribute editor edit possSuperiors | ||
+ | # Add groupOfNames in the values and click OK | ||
+ | |||
+ | == Configuration on Keystone == | ||
+ | There is some configuration that needs to be done on keystone side | ||
+ | |||
+ | '''Example 1.1. Configuration for LDAP backend ''' | ||
+ | |||
+ | |||
+ | <pre><nowiki> | ||
+ | ... | ||
+ | [ldap] | ||
+ | url = ldap://dc.example.com | ||
+ | user = CN=ldap,OU=Users,DC=example,DC=com | ||
+ | password = verybadpass | ||
+ | suffix = DC=example,DC=com | ||
+ | use_dumb_member = True | ||
+ | dumb_member = CN=ldap,OU=Users,DC=example,DC=com | ||
+ | |||
+ | user_tree_dn = OU=Users,DC=example,DC=com | ||
+ | user_objectclass = person | ||
+ | user_filter = | ||
+ | user_id_attribute = cn | ||
+ | user_name_attribute = cn | ||
+ | user_mail_attribute = mail | ||
+ | user_attribute_ignore = password,tenant_id,enabled,tenants | ||
+ | user_allow_create = False | ||
+ | user_allow_update = False | ||
+ | user_allow_delete = False | ||
− | == | + | tenant_tree_dn = OU=Tenants,DC=example,DC=com |
+ | tenant_filter = | ||
+ | tenant_objectclass = groupOfNames | ||
+ | tenant_id_attribute = cn | ||
+ | tenant_member_attribute = member | ||
+ | tenant_name_attribute = ou | ||
+ | tenant_desc_attribute = description | ||
+ | tenant_attribute_ignore = enabled | ||
+ | tenant_allow_create = True | ||
+ | tenant_allow_update = True | ||
+ | tenant_allow_delete = True | ||
− | + | role_tree_dn = OU=Roles,DC=example,DC=com | |
− | + | role_filter = | |
− | + | role_objectclass = organizationalRole | |
− | + | role_id_attribute = cn | |
+ | role_name_attribute = ou | ||
+ | role_member_attribute = roleOccupant | ||
+ | role_attribute_ignore = | ||
+ | role_allow_create = True | ||
+ | role_allow_update = True | ||
+ | role_allow_delete = True | ||
+ | ... | ||
+ | [identity] | ||
+ | driver = keystone.identity.backends.ldap.Identity | ||
+ | ... | ||
+ | </nowiki></pre> |
Revision as of 09:01, 9 October 2012
Table of contents: <<TableOfContents()>>
How to Integrate Keystone with Active Directory
This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.
Sample information stored on Active Directory
There are 3 different trees for each identity type on the AD configuration
Windows 2008 schema (includes services for unix)
Users (OU=Users) AdminUser @id @name @mail DemoUser @id @name @mail Tenants (OU=Tenants) DemoTenant @id @name @description member(AdminUser,DemoUser) AdminRole roleOccupant(AdminUser) MemberRole roleOccupant(DemoUser) Roles (OU=Roles) AdminRole @id @name MemberRole @id @name
Configuration on Active Directory
You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior
Requirements
- User that modifies the configuration setting of the schema needs to in the group Schema Administrators
- The user needs to modify the configuration on AD Schema Master
Procedure
- In ADSI Edit go to schema
- Open CN=Organizational-Role
- In attribute editor edit possSuperiors
- Add groupOfNames in the values and click OK
Configuration on Keystone
There is some configuration that needs to be done on keystone side
Example 1.1. Configuration for LDAP backend
... [ldap] url = ldap://dc.example.com user = CN=ldap,OU=Users,DC=example,DC=com password = verybadpass suffix = DC=example,DC=com use_dumb_member = True dumb_member = CN=ldap,OU=Users,DC=example,DC=com user_tree_dn = OU=Users,DC=example,DC=com user_objectclass = person user_filter = user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_attribute_ignore = password,tenant_id,enabled,tenants user_allow_create = False user_allow_update = False user_allow_delete = False tenant_tree_dn = OU=Tenants,DC=example,DC=com tenant_filter = tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_attribute_ignore = enabled tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True role_tree_dn = OU=Roles,DC=example,DC=com role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True ... [identity] driver = keystone.identity.backends.ldap.Identity ...