Ask Your Question
10

How can I integrate Active Directory as a Backend for Keystone?

asked 2013-06-11 03:15:16 -0500

Arfghl gravatar image

updated 2013-09-05 21:26:07 -0500

nickchase gravatar image

Hello, I'm trying to use an Active Directory for Keystone backend. I use this configuration from the wiki for keystone.conf.

I have created the 3 differents OU (Users, Tenants, Role) and one user (quantum) in the AD. But some problems appear...

If I try the command: keystone-user-list I got the following 401 error:

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://192.168.9.1

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=Administrateur,ou=Users,dc=exemple,dc=local

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=Users,ou=openstack,dc=exemple,dc=local, scope=1, query=(&(sn=quantum)(objectClass=person))

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://192.168.9.1

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=Administrateur,ou=Users,dc=exemple,dc=local

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=Tenants,ou=openstack,dc=exemple,dc=local, scope=1, query=(&(ou=service)(objectClass=groupOfNames))

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://192.168.9.1

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=Administrateur,ou=Users,dc=exemple,dc=local

2013-06-11 09:54:05 DEBUG [keystone.common.ldap.core] LDAP search: dn=cn=None,ou=Users,ou=openstack,dc=exemple,dc=local, scope=0, query=(objectClass=person)

2013-06-11 09:54:05 WARNING [keystone.common.wsgi] Invalid user / password

Probably because I have not created the groupOfNames/tenant "service" in AD.

However when I'm trying to override the authentication with the keystone-token:

keystone --token ADMIN --os-endpoint http://127.0.0.1:35357/v2.0 user-list

I got a 501 error:

2013-06-11 09:59:52 DEBUG [keystone.common.wsgi] {"error": {"message": "The action you have requested has not been implemented.", "code": 501, "title": null}}

Any idea ?

Thanks you in advance

edit retag flag offensive close merge delete

Comments

Have you found a way to solve this issue? Please share it here.

smaffulli gravatar imagesmaffulli ( 2013-07-26 17:29:06 -0500 )edit

Were you able to get this to work? With Havana on it's a lot easier since you can use LDAP for Identity User/Password/Group, and SQL for assignment Roles/Tenants. Then you don't run into the whole group of names issue. If you need help on this still I'll be happy to write a few recommendations.

mpetason gravatar imagempetason ( 2014-05-11 12:23:57 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2013-10-26 13:23:50 -0500

Liang Bo gravatar image

Hi,

If you want use AD as keystone's backend, you have to manually mapping the AD attributes to keystone entities. Here is my ldap configurations in keystone.conf.

[ldap]
url = ldap://192.168.1.33 #this is my DC
user = cn=administrator,cn=Users,dc=animbus,dc=com
password = adminpasswordhere
uffix = dc=animbus,dc=com
use_dumb_member = True

query_scope = sub

user_tree_dn = cn=Users,dc=animbus,dc=com
# user_filter =
user_objectclass = organizationalPerson
user_id_attribute = samAccountName
user_name_attribute = cn
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_enabled_attribute = enabled
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = True
user_allow_update = True
user_allow_delete = True 
user_default_project_id_attribute = department #you may need create a related field in AD

tenant_tree_dn = ou=Projects,ou=OpenStack,dc=animbus,dc=com
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = member
tenant_name_attribute = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore = description,businessCategory,extensionName
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = ou=Roles,ou=OpenStack,dc=animbus,dc=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True

As far as I know, this config works with user-list, role-list and telant-list. It's not able to create user from keystone. btw: I am using Windows 2003 r2 as DC Server.

There also has a wiki page to explain how to integrate keystone with Windows 2003 AD.

edit flag offensive delete link more

Comments

It fails for user-create operations with a Win2008 R2 AD server in my case because the server does not like the "userAccountControl" value in the creation request. If you eliminate that field, it will succeed. Im not sure how to tell keystone to not use it though. Or, how to make AD accept it.

wyllys gravatar imagewyllys ( 2014-06-19 09:04:13 -0500 )edit

Additionally - if you use "organizationalPerson" as the object class, you will not be able to create users because AD will not let you set the sAMAccountName field for that object. Use "user_objectclass = User" instead.

wyllys gravatar imagewyllys ( 2014-06-19 09:11:20 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2013-06-11 03:15:16 -0500

Seen: 1,604 times

Last updated: Oct 26 '13