Keystone integration with Microsoft Active Directory

asked 2012-01-27 09:06:07 -0500

srirangamn gravatar image

Hi,

I have installed Keystone and I am trying to integrate Keystone with Microsoft Active Directory.

Can anybody tell me the steps to integrate Keystone with AD?

Thanks in advance.

Regards, Raju.

edit retag flag offensive close merge delete

7 answers

Sort by ยป oldest newest most voted
0

answered 2012-02-12 08:41:04 -0500

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

edit flag offensive delete link more
0

answered 2012-02-14 12:57:48 -0500

srirangamn gravatar image

Hi,

Can anybody please help me on this?

Regards, Raju.

edit flag offensive delete link more
0

answered 2012-02-21 07:39:40 -0500

srirangamn gravatar image

Hi Joseph,

Thanks a lot for the information.

Regards, Raju.

edit flag offensive delete link more
0

answered 2012-02-19 20:00:58 -0500

heckj gravatar image

Hi Raj,

the baseline LDAP implementation is currently against OpenLDAP and defines specific strutures to be used with it. There are blueprints (meaning planning stages of future work), but no concrete implementations at this time that have Keystone working with LDAP through an Active Directory installation.

That said, we expect this to be a common use case, and a number of us are rallying around the development needed to implement exactly this kind of feature. I would like to encourage you to look at http://wiki.openstack.org/KeystoneUseCases (http://wiki.openstack.org/KeystoneUse...) and see if some of the user stories there match what you're looking for. That is the current thinking about the problem set we are going to be focusing on solving in e near future (early folsom timeframe)

  • joe
edit flag offensive delete link more
0

answered 2012-03-15 13:19:31 -0500

Raj,

I have a setup in essex where I use Microsoft active directory for authentication but still use a local DB for users/tenants.

Basically I have a daemon in python which creates users and tenants based on AD groups (so basically adding a user to an AD group will create this user automatically in keystone, creates the tenant (AD group) and give the user some roles in the corresponding tenant). I then hijack the sql backend to do LDAP authentication so the user uses his Windows password to login horizon (easy).

This is something we already do in other apps here so I was asked to do the same thing with openstack

it is not a full LDAP backend for keystone it is more of a hybrid form where only authentication is LDAP-based, the local keystone DB is still used for users, email, roles, tenants, etc. (although an outside program synchronizes this local DB with information from LDAP)

I don't know if this is a use case that would be popular, I think it would be hard to use an existing Windows AD as a complete LDAP backend in a big corporation (security reasons among others), it was relatively simple to implement what I just described.

cheers

Boris

edit flag offensive delete link more
0

answered 2012-03-15 15:09:15 -0500

srirangamn gravatar image

Hi Boris,

Thank you very much for your reply.

I also did similar to this. The sqlite or MySQL DB created by keystone will be as it is. The workflow is as follows:

  1. User enters his username and password through Horizon.
  2. If the user doesn't exists in the MS AD, I am throwing an exception. [I need to handle this nicely with a message]
  3. If the user exists in the MS AD, I am adding that user in Keystone DB with the same credentials.
  4. Remaining tables like Tenants, Credentials, Services including Users table exists as it is in Sqlite or MySQL.

I am also trying to add a particular user for more than one tenant. Ex: Administrator should have full access to all tenants[projects].

Thanks for your detailed description of workflow. I will try to integrate my work in to a plug-in and will update you if I come across any difficulties.

Thanks and Regards, Raju.

edit flag offensive delete link more
0

answered 2012-09-15 16:37:02 -0500

tim-bell gravatar image
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-01-27 09:06:07 -0500

Seen: 210 times

Last updated: Sep 15 '12