Форумы

Geek's Notes Universe :: Форумы :: OpenStack

Keystone + Active Directory integration

root
[ Истинный ДАО ]
Сообщений: 493
1. Update AD master scheme with ADSI Edit (ADSIEDIT.msc)
Open CN=Organizational-Role
In attribute editor edit possSuperiors
Add groupOfNames in the values and click OK

2. Create AD objects (also with ADSI Edit)
OU=Openstack
OU=Projects
OU=admin
CN=admin (organizationRole)
CN=adminUsers (groupOfNames)
OU=service
CN=admin (organizationRole)
CN=serviceUsers (groupOfNames)
OU=Roles
CN=admin (organizationRole)

3. Create AD users
Create users for admin, nova, cinder, glance, neutron, etc (set the Full name the same as login). Also we need to create user for searching the AD directory (e.g. ldapuser).

4. Set the roles
For each tenant add needed users to the roleOccupant attribute for admin organizationRole under OU=$tenant_name. For instance nova, cinder, glance, neutron should be added to service tenant.

Add these users as a member to the corresponding groupOfNames (adminUsers)

Add these users to the roleOccupant attribute for admin organizationRole under OU=Roles

5. Update keystone configuration and restart keystone service.

[ldap]
url = ldap://172.18.12.105
user = CN=ldap,CN=Users,DC=fuel-pm,DC=com
password = R00tme11
suffix = DC=fuel-pm,DC=com
use_dumb_member = True
dumb_member = CN=ldap,CN=Users,DC=fuel-pm,DC=com

user_tree_dn = CN=Users,DC=fuel-pm,DC=com
user_objectclass = organizationalPerson
user_filter =
user_id_attribute = CN # uppercase is important due to https://bugs.launchpad.net/keystone/+bug/1210675
user_name_attribute = cn
user_mail_attribute = mail
user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_tree_dn = OU=Projects,OU=Openstack,DC=fuel-pm,DC=com
tenant_filter =
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = OU=Roles,OU=Openstack,DC=fuel-pm,DC=com
role_filter =
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =
role_allow_create = True
role_allow_update = True
role_allow_delete = True

...
[identity]
driver = keystone.identity.backends.ldap.Identity
...

Модераторы: root, andrey, AndreikA, faerie.qveene, slavok

<< Предыдущая тема | Следующая тема >>

Перейти:     Наверх