Jump to: navigation, search

OpenLDAP

Revision as of 21:31, 14 March 2012 by Admiyo (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Setting up LDAP for use with Keystone

<<TableOfContents()>>

The Keystone Identity provider can work with OpenLDAP as well as with SQL to provider backing for Users, Tenants, and Roles. Here are the steps to setting up OpenLDAP to work with Keystone.

Fedora

I performed these steps on Fedora 16.

First, install the OpenLDAP server pacakes: 


sudo yum install openldap-servers-2.4.26-6.fc16.x86_64
sudo service slapd start


Decide on a root password and hash it by running: slappasswd -h {SSHA} -s <password>

Now create a file named manager.ldif like this, but change the olcSuffix and olcRootDN to reflect your organization. Use the output of the above slappasswd command to modify the olcRootPW entry below. 


 
dn:  olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=openstack,dc=org
-
replace: olcRootDN
olcRootDN: dc=Manager,dc=openstack,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}lBDIdfwvZkITal0k9tdhiCUolxpf6anu


Now configure your Open LDAP server by running:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./manager.ldif

To initialize the OpenLDAP Data store with the Scheme necessary Keystone, you will need a script. WHile OpenLDAP can use a schema file, complete with variable substitution, other LDAP servers cannot. The program below should generate an LDIF formatted file which you can use to import the schema. 


#!/usr/bin/python
"""
"""

if sys.argv.__len__() < 3:
    usage = """
USAGE: {0} subtree organization

{0} Generates an LDIF file that can then be added to a Directory server via 
the ldapadd command.  The Schema is in the format expected by the LDAP 
Identity Driver in Keystone
"""
    print usage.format(sys.argv[0])
    sys.exit(1)

subtree=sys.argv[1]
organization=sys.argv[2]
ldif_file="""
dn: {0}
dc: {1}
objectClass: dcObject
objectClass: organizationalUnit
ou: {1}

dn: ou=Groups,{0}
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,{0}
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,{0}
objectClass: top
objectClass: organizationalUnit
ou: users
"""

print ldif_file.format(subtree,organization)


You can run it like this: 

 
  ./keystone_ldap_schema.py cn=openstack,cn=org openstack > /tmp/openstack_schema.ldif 
  xldapadd -x -D "dc=Manager,dc=younglogic,dc=com" -H ldap://localhost  -w password  /tmp/keystone_ldap_schema.ldif


Ubuntu

The setup on Ubuntu is somewhat different. This was done on Ubuntu 11.10

sudo apt-get install slapd ldap-utils (prompts for admin password)

sudo dpkg-reconfigure slapd set Domain Name to openstack.org Set organization to openstack

test with 

 ldapsearch -x -W  -D"cn=admin,dc=openstack,dc=org"   -b dc=openstack,dc=org }}


The above script creates a stanza that triggers an already exists error in Ubuntu.  Either run it and edit it out, or modify the below script.

{{{
dn: ou=Groups,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users


This can be added with : ldapadd -x -W -D"cn=admin,dc=openstack,dc=org" -f /tmp/openstack.ldif

Retrieved from "https://wiki.openstack.org/w/index.php?title=OpenLDAP&oldid=11746"