HowtoIntegrateKeystonewithAD
Table of contents: <<TableOfContents()>>
How to Integrate Keystone with Active Directory
This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.
Sample information stored on Active Directory
There are 3 different trees for each identity type on the AD configuration
Windows 2008 schema (includes services for unix)
Users (OU=Users) AdminUser @id @name @mail DemoUser @id @name @mail Tenants (OU=Tenants) DemoTenant @id @name @description member(AdminUser,DemoUser) AdminRole roleOccupant(AdminUser) MemberRole roleOccupant(DemoUser) Roles (OU=Roles) AdminRole @id @name MemberRole @id @name
Configuration on Active Directory
You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior
Requirements
- User that modifies the configuration setting of the schema needs to in the group Schema Administrators
- The user needs to modify the configuration on AD Schema Master
Procedure
- In ADSI Edit go to schema
- Open CN=Organizational-Role
- In attribute editor edit possSuperiors
- Add groupOfNames in the values and click OK
Configuration on Keystone
There is some configuration that needs to be done on keystone side
Example 1.1. Configuration for LDAP backend
... [ldap] url = ldap://dc.example.com user = CN=ldap,OU=Users,DC=example,DC=com password = verybadpass suffix = DC=example,DC=com use_dumb_member = True dumb_member = CN=ldap,OU=Users,DC=example,DC=com user_tree_dn = OU=Users,DC=example,DC=com user_objectclass = person user_filter = user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_attribute_ignore = password,tenant_id,enabled,tenants user_allow_create = False user_allow_update = False user_allow_delete = False tenant_tree_dn = OU=Tenants,DC=example,DC=com tenant_filter = tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_attribute_ignore = enabled tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True role_tree_dn = OU=Roles,DC=example,DC=com role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True ... [identity] driver = keystone.identity.backends.ldap.Identity ...