Jump to: navigation, search

Difference between revisions of "OpenLDAP"

(Fedora)
(Ubuntu)
Line 111: Line 111:
 
Set organization to openstack
 
Set organization to openstack
  
test with  
+
test with:
  
<pre><nowiki> ldapsearch -x -W  -D"cn=admin,dc=openstack,dc=org"  -b dc=openstack,dc=org }}
+
<pre><nowiki>  
 +
ldapsearch -x -W  -D"cn=admin,dc=openstack,dc=org"  -b dc=openstack,dc=org }}
 +
</nowiki></pre>
  
 +
Next create and edit /tmp/openstack.ldif with the following:
  
The above script creates a stanza that triggers an already exists error in Ubuntu.  Either run it and edit it out, or modify the below script.
+
<pre><nowiki>
 +
dn: cn=openstack,cn=org
 +
dc: openstack
 +
objectClass: dcObject
 +
objectClass: organizationalUnit
 +
ou: openstack
  
{{{
+
dn: ou=Groups,cn=openstack,cn=org
dn: ou=Groups,dc=openstack,dc=org
 
 
objectClass: top
 
objectClass: top
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 
ou: groups
 
ou: groups
  
dn: ou=Users,dc=openstack,dc=org
+
dn: ou=Users,cn=openstack,cn=org
 
objectClass: top
 
objectClass: top
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 
ou: users
 
ou: users
  
dn: ou=Roles,dc=openstack,dc=org
+
dn: ou=Roles,cn=openstack,cn=org
 
objectClass: top
 
objectClass: top
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
ou: users
+
ou: roles
 
</nowiki></pre>
 
</nowiki></pre>
  
 
+
Then add that file to ldap by issuing the following command:
This can be added with :
 
 
<code><nowiki> ldapadd -x -W  -D"cn=admin,dc=openstack,dc=org"  -f /tmp/openstack.ldif </nowiki></code>
 
<code><nowiki> ldapadd -x -W  -D"cn=admin,dc=openstack,dc=org"  -f /tmp/openstack.ldif </nowiki></code>

Revision as of 17:32, 26 March 2014

Setting up LDAP for use with Keystone

The Keystone Identity provider can work with OpenLDAP as well as with SQL to provider backing for Users, Tenants, and Roles. Here are the steps to setting up OpenLDAP to work with Keystone.

Fedora

I performed these steps on Fedora 16.

First, install the OpenLDAP server pacakes:


sudo yum install openldap-servers-2.4.26-6.fc16.x86_64
sudo service slapd start


Decide on a root password and hash it by running: slappasswd -h {SSHA} -s <password>

Now create a file named manager.ldif like this, but change the olcSuffix and olcRootDN to reflect your organization. Use the output of the above slappasswd command to modify the olcRootPW entry below.


 
dn:  olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=openstack,dc=org
-
replace: olcRootDN
olcRootDN: dc=Manager,dc=openstack,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}lBDIdfwvZkITal0k9tdhiCUolxpf6anu


Now configure your Open LDAP server by running:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./manager.ldif

To initialize the OpenLDAP Data store with the Scheme necessary Keystone, you will need a script. WHile OpenLDAP can use a schema file, complete with variable substitution, other LDAP servers cannot. The program below should generate an LDIF formatted file which you can use to import the schema.


#!/usr/bin/python
"""
"""

if sys.argv.__len__() < 3:
    usage = """
USAGE: {0} subtree organization

{0} Generates an LDIF file that can then be added to a Directory server via 
the ldapadd command.  The Schema is in the format expected by the LDAP 
Identity Driver in Keystone
"""
    print usage.format(sys.argv[0])
    sys.exit(1)

subtree=sys.argv[1]
organization=sys.argv[2]
ldif_file="""
dn: {0}
dc: {1}
objectClass: dcObject
objectClass: organizationalUnit
ou: {1}

dn: ou=Groups,{0}
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,{0}
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,{0}
objectClass: top
objectClass: organizationalUnit
ou: roles
"""

print ldif_file.format(subtree,organization)



You can run it like this:

 
  ./keystone_ldap_schema.py cn=openstack,cn=org openstack > /tmp/openstack_schema.ldif 
  xldapadd -x -D "dc=Manager,dc=younglogic,dc=com" -H ldap://localhost  -w password  /tmp/keystone_ldap_schema.ldif

Ubuntu

The setup on Ubuntu is somewhat different. This was done on Ubuntu 11.10

sudo apt-get install slapd ldap-utils (prompts for admin password)

sudo dpkg-reconfigure slapd set Domain Name to openstack.org Set organization to openstack

test with:

 
ldapsearch -x -W  -D"cn=admin,dc=openstack,dc=org"   -b dc=openstack,dc=org }}

Next create and edit /tmp/openstack.ldif with the following:

 
dn: cn=openstack,cn=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack

dn: ou=Groups,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,cn=openstack,cn=org
objectClass: top
objectClass: organizationalUnit
ou: roles

Then add that file to ldap by issuing the following command: ldapadd -x -W -D"cn=admin,dc=openstack,dc=org" -f /tmp/openstack.ldif