Jump to: navigation, search



Keystone is the project of OpenStack that manages the authentication and authorization of the user. By default keystone uses sql as the backend for users, projects, roles and role assignment. Keystone can also be configured to use Active Directory (AD) i.e. LDAP as its backend. This can be done by following two ways:

1. Read Only LDAP
In this the identity driver will be ldap while the assignment driver will be sql. The keystone will use the users from the ldap but the projects, roles and role assignment will be using sql as the backend. This will be used when any enterprises using the AD (LDAP) want to maintain a centralized repository for user credentials but also don’t want to change their AD structure.

2. Only LDAP
In this both the identity and assignment driver will be ldap. In this all users, projects, roles, role assignment will be maintained in AD (LDAP). This will require modification done to AD structure.

This blueprint aims to automate above two types of integration of Keystone with AD (LDAP) backend. This ad-Integration tool will be a python script. It will be used to automate the configuration changes required for integration of Keystone with AD. It will also replicate the required user, projects in AD backend and at last it will check if the configuration was successful.

User Stories

  1. User will use this tool as a post installation script to configure AD as a backend for keystone.
  2. User has to give the details of pre-configured AD server in an ldapConfig.yml file or through command line.
  3. User has to mention one of the above two approaches which he need to configure, in ldapConfig.yml file.
  4. When user will execute this script he will get the Keystone integrated to AD (LDAP).


This tool will take “ldapConfig.yml” file as input file. If this file is not present then it will take input interactively from the user. Following are the list of parameters which will be taken as input:

  • Type of ldap server it may be ad or non_ad (active directory or not)
  • Type of ldap it may be “readonly_ldap” or “only_ldap”
  • ldap server url
  • user name and credentials to connect to ldap
  • dc of domain
  • dn for users
  • dn for tenant/project
  • dn for role


This tool will perform the following functions:
1. It will put the following parameters in keystone.conf depending on the value of “ldap_type”.

   driver = keystone.assignment.backends.sql.Assignment
   driver = keystone.identity.backends.ldap.Identity

2. It will populate the “ldap” section of keystone.conf with the values of ldap url, user credentials to access it and other dn details required for integration.
3. It will replicate the OpenStack related users, projects and roles in AD. This will only include the users, projects and roles which are created in installation process and not those created manually after installation.
4. It will bypass the authentication by using token and endpoint to assign roles for users on project.
5. After everything is done it will check if configuration is done successfully by executing some OpenStack commands.

Future Enhancements

Currently the tool only support the replication of OpenStack related users, projects and roles in AD server. This can further be modified to replicate all the existing users, projects, roles and role mappings to AD server.