Difference between revisions of "OpenLDAP"
m (Text replace - "<<TableOfContents()>>" to "__TOC__") |
m (Text replace - "__NOTOC__" to "") |
||
Line 1: | Line 1: | ||
− | + | ||
== Setting up LDAP for use with Keystone == | == Setting up LDAP for use with Keystone == | ||
Revision as of 23:29, 17 February 2013
Setting up LDAP for use with Keystone
The Keystone Identity provider can work with OpenLDAP as well as with SQL to provider backing for Users, Tenants, and Roles. Here are the steps to setting up OpenLDAP to work with Keystone.
Fedora
I performed these steps on Fedora 16.
First, install the OpenLDAP server pacakes:
sudo yum install openldap-servers-2.4.26-6.fc16.x86_64 sudo service slapd start
Decide on a root password and hash it by running:
slappasswd -h {SSHA} -s <password>
Now create a file named manager.ldif like this, but change the olcSuffix and olcRootDN to reflect your organization. Use the output of the above slappasswd command to modify the olcRootPW entry below.
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=openstack,dc=org - replace: olcRootDN olcRootDN: dc=Manager,dc=openstack,dc=org - add: olcRootPW olcRootPW: {SSHA}lBDIdfwvZkITal0k9tdhiCUolxpf6anu
Now configure your Open LDAP server by running:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./manager.ldif
To initialize the OpenLDAP Data store with the Scheme necessary Keystone, you will need a script. WHile OpenLDAP can use a schema file, complete with variable substitution, other LDAP servers cannot. The program below should generate an LDIF formatted file which you can use to import the schema.
#!/usr/bin/python """ """ if sys.argv.__len__() < 3: usage = """ USAGE: {0} subtree organization {0} Generates an LDIF file that can then be added to a Directory server via the ldapadd command. The Schema is in the format expected by the LDAP Identity Driver in Keystone """ print usage.format(sys.argv[0]) sys.exit(1) subtree=sys.argv[1] organization=sys.argv[2] ldif_file=""" dn: {0} dc: {1} objectClass: dcObject objectClass: organizationalUnit ou: {1} dn: ou=Groups,{0} objectClass: top objectClass: organizationalUnit ou: groups dn: ou=Users,{0} objectClass: top objectClass: organizationalUnit ou: users dn: ou=Roles,{0} objectClass: top objectClass: organizationalUnit ou: users """ print ldif_file.format(subtree,organization)
You can run it like this:
./keystone_ldap_schema.py cn=openstack,cn=org openstack > /tmp/openstack_schema.ldif xldapadd -x -D "dc=Manager,dc=younglogic,dc=com" -H ldap://localhost -w password /tmp/keystone_ldap_schema.ldif
Ubuntu
The setup on Ubuntu is somewhat different. This was done on Ubuntu 11.10
sudo apt-get install slapd ldap-utils
(prompts for admin password)
sudo dpkg-reconfigure slapd
set Domain Name to openstack.org
Set organization to openstack
test with
ldapsearch -x -W -D"cn=admin,dc=openstack,dc=org" -b dc=openstack,dc=org }} The above script creates a stanza that triggers an already exists error in Ubuntu. Either run it and edit it out, or modify the below script. {{{ dn: ou=Groups,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: groups dn: ou=Users,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: users dn: ou=Roles,dc=openstack,dc=org objectClass: top objectClass: organizationalUnit ou: users
This can be added with :
ldapadd -x -W -D"cn=admin,dc=openstack,dc=org" -f /tmp/openstack.ldif