Geek's Notes Universe :: Форумы :: OpenStack

OpenStack and LDAP

[ Истинный ДАО ]
Сообщений: 493
Requirements for LDAP server:

  • 1. Login details for LDAP - user and password for Openstack’s keystone.conf
    2. Created organizational unit.
    3. Created users for all Openstack services - nova, glance, cinder etc.
    4. Created all users for operations.

Setup Openstack authentication in LDAP

1. In keystone.conf change parameters:

In [identity] section:

driver = keystone.identity.backends.ldap.Identity

In [ldap] section:

url = ldap:// 
user = cn=Manager,dc=demo,dc=com
password = samplepassword
suffix = dc=demo,dc=com
use_dumb_member = False
allow_subtree_delete = False

To use LDAP in read only mode set:

user_allow_create = False
user_allow_update = False
user_allow_delete = False
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False
role_allow_create = False
role_allow_update = False
role_allow_delete = False

After changing theses parameters keystone service needs to be restarted:

service keystone restart

2. When we have separate authentication and authorisation mechanisms we need to store only users details in LDAP database, in test environment we used following database:

dn: dc=demo,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: demo
ou: demo

dn: ou=Users,dc=demo,dc=com
objectClass: organizationalUnit
ou: Users

dn: cn=admin,ou=Users,dc=demo,dc=com
cn: admin
sn: admin
objectClass: inetOrgPerson
userPassword:: c2VjcmV0
uid: admin
mail: admin@demo.com

dn: cn=Demo,ou=Users,dc=demo,dc=com
cn: Demo
sn: Demo
objectClass: inetOrgPerson
userPassword:: c2VjcmV0
uid: demo
mail: demo@demo.com

dn: cn=nova,ou=Users,dc=demo,dc=com
cn: nova
sn: nova
objectClass: inetOrgPerson
userPassword:: c2VjcmV0
uid: nova

dn: cn=glance,ou=Users,dc=demo,dc=com
cn: glance
sn: glance
objectClass: inetOrgPerson
userPassword:: c2VjcmV0
uid: glance

dn: cn=cinder,ou=Users,dc=demo,dc=com
cn: cinder
sn: cinder
objectClass: inetOrgPerson
userPassword:: c2VjcmV0
uid: cinder

Please note that we’ve created service users in LDAP database, such as nova, cinder, glance. If you use additional services with Openstack, for example Heat, respective users need to be created as well.

3. We need to associate users with needed tenants and respective role:

By this point you should already have admin and service tenants/projects so we need to use following commands on controller node:

keystone user-role-add --user=admin --tenant=admin --role=admin
keystone user-role-add --user=glance --tenant=service --role=admin
keystone user-role-add --user=nova --tenant=service --role=admin
keystone user-role-add --user=cinder --tenant=service --role=admin

Now you should get fully workable Openstack with authentication in LDAP and authorisation in MySQL.

Модераторы: root, andrey, AndreikA, faerie.qveene, slavok

<< Предыдущая тема | Следующая тема >>

Перейти:     Наверх