HowtoIntegrateKeystonewithAD
Table of contents:
Contents
How to Integrate Keystone with Active Directory
This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.
Sample information stored on Active Directory
There are 3 different trees for each identity type on the AD configuration
Windows 2008 schema (includes services for unix)
Users (OU=Users) AdminUser @id @name @mail DemoUser @id @name @mail Tenants (OU=Tenants) DemoTenant @id @name @description member(AdminUser,DemoUser) AdminRole roleOccupant(AdminUser) MemberRole roleOccupant(DemoUser) Roles (OU=Roles) AdminRole @id @name MemberRole @id @name
Configuration on Active Directory
You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior
Requirements
- User that modifies the configuration setting of the schema needs to in the group Schema Administrators
- The user needs to modify the configuration on AD Schema Master
Procedure
- In ADSI Edit go to schema
- Open CN=Organizational-Role
- In attribute editor edit possSuperiors
- Add groupOfNames in the values and click OK
Configuration on Keystone
There is some configuration that needs to be done on keystone side
Example 1.1. Configuration for LDAP backend
... [ldap] url = ldap://dc.example.com user = CN=ldap,OU=Users,DC=example,DC=com password = verybadpass suffix = DC=example,DC=com use_dumb_member = True dumb_member = CN=ldap,OU=Users,DC=example,DC=com user_tree_dn = OU=Users,DC=example,DC=com user_objectclass = person user_filter = user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_pass_attribute = user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = False user_allow_update = False user_allow_delete = False tenant_tree_dn = OU=Tenants,DC=example,DC=com tenant_filter = tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_enabled_attribute = extensionName tenant_attribute_ignore = tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True role_tree_dn = OU=Roles,DC=example,DC=com role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True ... [identity] driver = keystone.identity.backends.ldap.Identity ...