How to check OpenStack Keystone LDAP working ?

asked 2017-05-31 05:59:51 -0600

yunus gravatar image

Hi everyone,

I set up a LDAP server and Openstack server with different machines. When I send ldapsearch from Openstack server to Ldap server it works(ldapsearch -x -LLL -h X.X.X.X -D cn=admin,dc=ldap,dc=example,dc=org -w XXXX -b dc=ldap,dc=example,dc=org ). But when I changed keystone.conf like https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html (https://docs.openstack.org/admin-guid...) here. And write openstack user list it gives an error like The request you have made requires authentication. (HTTP 401)
But if I remove driver = ldap line, everyting works correctly. Also I could not run setsebool -P authlogin_nsswitch_use_ldap on command because of our server is ubuntu. Finally my keystone.conf looks like below:

[ldap] url = ldap://X.X.X.X
user = cn=admin,dc=ldap,dc=example,dc=org
password = XXXX
suffix = dc=ldap,dc=example,dc=org
user_tree_dn = ou=People,dc=ldap,dc=example,dc=org
user_objectclass = organizationalUnit
group_tree_dn = Groups,dc=ldap,dc=example,dc=org
group_objectclass = organizationalUnit
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False

ldapsearch -x

dn: dc=ldap,dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: example dc: ldap

dn: cn=admin,dc=ldap,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator

dn: ou=People,dc=ldap,dc=example,dc=org objectClass: organizationalUnit ou: People

dn: ou=Groups,dc=ldap,dc=example,dc=org objectClass: organizationalUnit ou: Groups

edit retag flag offensive close merge delete

Comments

What exactly is your goal? Provide access to OpenStack via LDAP for all users, incl. default users (nova, neutron, cinder etc.)? Or do you need to separate these service users from regular users (real persons)? For separation you'd need to configure multi-domain-support.

eblock gravatar imageeblock ( 2017-06-01 03:34:47 -0600 )edit

Per default the service users are configured in the domain "default", usually with sql backend. Additional users that have to be integrated via LDAP have to get their own domain, with "ldap" as identity driver.

eblock gravatar imageeblock ( 2017-06-01 03:38:08 -0600 )edit

People can be logged in with their email and passwords. And they can send files to swift services and get files.

yunus gravatar imageyunus ( 2017-06-01 06:20:45 -0600 )edit

They already can login or not yet? Please be more specific about your scenario, it's difficult to guess as there are so many different ways to use OpenStack. Just for reference: we installed the cloud with all default services in the default domain, users like admin, nova, neutron etc...

eblock gravatar imageeblock ( 2017-06-01 07:35:22 -0600 )edit
1

... are stored in a local database, with identity backend driver "sql". For my colleagues, the "real" users are stored on our LDAP server. So to integrate them, we configured multi-domains with LDAP as an additional identity backend for the new domain "users".

eblock gravatar imageeblock ( 2017-06-01 07:38:10 -0600 )edit