Ask Your Question

password authentication thru ldap

asked 2017-06-09 12:00:56 -0500

jamesopst gravatar image

hi all, hoping for a bit of direction please

ive been researching using openstack with ldap for months and I feel like im not any closer to understanding it than when I started. and ive read many webpages explaining it. admittedly I am significantly unfamiliar with the topic.

i am using newton, which by default has OS_IDENTITY_API_VERSION="3".

my vision is,what i think is a very minor integration of ldap with openstack: when a user tries to login to horizon his password is authenticated with our corporate ldap server. (so he can use the same password he uses for every other app and network resource).

after reading a bit i see now how that user authentication is not used only for horizon login but for group membership and roles and project, etc,etc, what i fear is all these will need to be defined on the ldap sever for each user. i dont have control of that server.

i dont mind managing a user/group/role/project list local to openstack, like default. I just want a users password to be checked via ldap, when logging into Horizon specfically. and if needed when ever this users needs to execute something in the openstack environment.

am I way off my expectation here? please educate me


edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2017-06-09 18:55:40 -0500

You only keep users in the LDAP directory. Projects and domains are in the resource backend ([resource] section in the config file), role assignments in the [assignment] backend, roles in [role] afaik.

Furthermore, thanks to domain-specific backends, you can keep all the service and admin users, which belong to the Default domain, in the local database. This way, they can be modified by the Keystone API, unlike the normal users in the LDAP directory.

edit flag offensive delete link more



thanks Bernd for your response. i think ive gotten further along. i am still getting invalid credentials from my ldap server.... but another question will I have to create a domain, and users, in openstack to match the users that I want to be able to authenticate via the ldap domain?

jamesopst gravatar imagejamesopst ( 2017-06-21 17:13:02 -0500 )edit

You don't (re)create users that are in the LDAP directory. There is no need to create any domains at all; users are by default in a domain named Default.

Bernd Bausch gravatar imageBernd Bausch ( 2017-06-21 22:26:36 -0500 )edit

each time I try to configure this the admin user looses the ability to run commands on the command line. is there a way to avoid this?

openstack user create An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-cc8900b4-41ca-4387-953c-5f46f16d6904)

jamesopst gravatar imagejamesopst ( 2017-07-17 17:01:47 -0500 )edit

Check the keystone log for more info. My guess is wrong LDAP config in Keystone.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-17 23:02:58 -0500 )edit

answered 2017-07-20 15:20:58 -0500

jamesopst gravatar image

updated 2017-09-05 13:53:39 -0500

i figured out all my config issues!

part of my issue: make sure your ENV variable and keystone_rc file set auth API version to 3 like this

and not this
even though API version 2.0 was like this

furthermore, these directions really helped!

And also very importantly here is what my domain specific keystone file looked like:

vi /etc/keystone/domains/keystone.mydom.conf
url = ldap://
user =
password = ldapuserpass
user_tree_dn = ou=Corp,dc=mydom,dc=com
query_scope = sub
user_objectclass = person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_filter = (memberOf=CN=Openstack Users,OU=Groups,DC=mydom,DC=com)
user_mail_attribute = mail
user_pass_attribute =
user_allow_create = False
user_allow_update = False
user_allow_delete = False
#group_filter =
group_id_attribute = cn
group_member_attribute = member
group_name_attribute = 'OpenStack Users'
group_objectclass = group
group_tree_dn = ou=Corp,dc=mydom,dc=com

driver = keystone.identity.backends.ldap.Identity

This is with the corporate ldap/AD server here at my job. I had my IT team create the "Openstack Users" group in this corporate ldap and add everyone's username who I wanted to give access to Horizon to this group. (they'll be able to login with their "windows credentials"). This allowed me to use the above "user_filter" setting.

Other important settings:
query_scope = sub
(default scope = 1, whatever this is, our ldap seems to have more scope than a standard)
user_id_attribute = cn
user_name_attribute = sAMAccountName
(make sure everyone's login names "windows credentials" are under this CN in your ldap and not some other location)

in my journey I created my own temporary ldap server so I could understand how ldap works and the structure it uses and confirm that openstack was in fact communicating with ldap, so it was helpful to start with a server I could control. Once I got keystone.mydom.conf configured to connect with my temporary ldap server it was slightly easier to configure it to connect to our corporate ldap server.

my test that I was connecting correctly to either ldap server was this command returning users

openstack user list --domain mydom
| ID                                                               | Name     |
| 3434343434434343430b2a4fc1f7617d0f3a010aea62c444343333333335ab04 | user2    |
| 64560d734e3f5e6e951883bc12a566dgggccb25ea0619a6d71h9jjjkkgh96302 | user1    |

i must of edited the keystone.mydom.conf file 200 times trying different settings, googling and trying again, till I made fwd progress. A typical try would be:

vi /etc/keystone/domains/keystone.mydom.conf
systemctl restart httpd.service (restarts keystone which is needed each conf change)
tail -f /var/log/keystone/keystone.log
openstack user list --domain mydom (on another console, watch the tail command for errors)

these linux ldap commands helped me figure out the (corporate or temporary) ldap server object structure/usage. Any ldap user/pass should be able to search ldap. (google for help on ldapsearch to find different command line options ... (more)

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2017-06-09 12:00:56 -0500

Seen: 1,586 times

Last updated: Sep 05 '17