Jump to: navigation, search

HowtoIntegrateKeystonewithAD

Table of contents:

How to Integrate Keystone with Active Directory

This documents explains how to integrate Keystone with Active Directory by configuring the LDAP module.

Sample information stored on Active Directory

There are 3 different trees for each identity type on the AD configuration

Windows 2008 schema (includes services for unix)


Users (OU=Users)
  AdminUser
    @id
    @name
    @mail
  DemoUser
    @id
    @name
    @mail

Tenants (OU=Tenants)
  DemoTenant
    @id
    @name
    @description
    member(AdminUser,DemoUser)
      AdminRole
        roleOccupant(AdminUser)
      MemberRole
        roleOccupant(DemoUser)

Roles (OU=Roles)
  AdminRole
    @id
    @name

  MemberRole
    @id
    @name

Configuration on Active Directory

You need to change the configuration on organizationalRole to allow groupOfNames as a possible superior

Requirements

  • User that modifies the configuration setting of the schema needs to in the group Schema Administrators
  • The user needs to modify the configuration on AD Schema Master

Procedure

  1. In ADSI Edit go to schema
  2. Open CN=Organizational-Role
  3. In attribute editor edit possSuperiors
  4. Add groupOfNames in the values and click OK

Configuration on Keystone

There is some configuration that needs to be done on keystone side

Example 1.1. Configuration for LDAP backend


  ...
  [ldap]
  url                      = ldap://dc.example.com
  user                     = CN=ldap,OU=Users,DC=example,DC=com
  password                 = verybadpass
  suffix                   = DC=example,DC=com
  use_dumb_member          = True
  dumb_member              = CN=ldap,OU=Users,DC=example,DC=com

  user_tree_dn             = OU=Users,DC=example,DC=com
  user_objectclass         = person
  user_filter              =
  user_id_attribute        = cn
  user_name_attribute      = cn
  user_mail_attribute      = mail
  user_pass_attribute      = 
  user_enabled_attribute   = userAccountControl
  user_enabled_mask        = 2
  user_enabled_default     = 512
  user_attribute_ignore    = password,tenant_id,tenants
  user_allow_create        = False
  user_allow_update        = False
  user_allow_delete        = False

  tenant_tree_dn           = OU=Tenants,DC=example,DC=com
  tenant_filter            =
  tenant_objectclass       = groupOfNames
  tenant_id_attribute      = cn
  tenant_member_attribute  = member
  tenant_name_attribute    = ou
  tenant_desc_attribute    = description
  tenant_enabled_attribute = extensionName
  tenant_attribute_ignore  = 
  tenant_allow_create      = True
  tenant_allow_update      = True
  tenant_allow_delete      = True

  role_tree_dn             = OU=Roles,DC=example,DC=com
  role_filter              =
  role_objectclass         = organizationalRole
  role_id_attribute        = cn
  role_name_attribute      = ou
  role_member_attribute    = roleOccupant
  role_attribute_ignore    =
  role_allow_create        = True
  role_allow_update        = True
  role_allow_delete        = True
  ...
  [identity]
  driver = keystone.identity.backends.ldap.Identity
  ...