Ask Your Question

Integration with ldap [closed]

asked 2014-04-26 09:28:19 -0500

pkumar gravatar image


Is it possible to configure keystone authentication through ldap and sql both? I'd like to keep admin users and project assignments locally in sql & assign users to project from company's ldap.

Any help?

Thanks, Pradeep

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by mpetason
close date 2014-06-09 11:25:00.853912

2 answers

Sort by ยป oldest newest most voted

answered 2014-04-29 10:40:17 -0500

mpetason gravatar image

This is definitely possible. Starting with Havana you have the option to use assignment and identity. You would use LDAP for Identity, which would map to users/groups, then assignment for roles/projects. As for admin users you can use the admin key to auth to keystone, but the rest of the users are found with the ldap search string.

Keep in mind if you want to see roles/domains and the additional features of keystone then you'll need to use the V3 api. You can setup the V3 api then point the dashboard to it through the local settings.

You can use the guide below for reference, however all you will be setting up are groups and users, which groups will show up in they newer keystone conf on your system. You can leave projects/roles commented out.

This gives you the information to use for the drivers:

edit flag offensive delete link more


Thanks for the guidance!! I had tried without creating anything in ldap, but just providing bind details in keystone config. In ideal condition it should work but it is not. In logs I can see login outcome is success but it throws error that I've no projects assigned. Looks like I must touch ldap to make it working. I'll update here in few days, how it goes... Thanks again!!

pkumar gravatar imagepkumar ( 2014-04-29 19:36:14 -0500 )edit

Once you have ldap working you have to reassign roles to the users. So you could do something like:

keystone user-list

Find the user IDs and then work on assigning them to roles with keystone user-role-add. Use the admin key you setup to auth against keystone to make updates.

mpetason gravatar imagempetason ( 2014-04-29 19:41:09 -0500 )edit

I can see all user in ldap through keystone user-list. I also ran following command without any error: keystone user-role-add --user=ldapuser --tenant=admin --role=admin

But when I try to login on dashboard using ladpuser or even admin user, I'm getting following error: "Unable to retrieve authorized projects."

I can see following error in logs:

2014-04-30 14:44:06.750 4095 TRACE keystone.common.wsgi OPERATIONS_ERROR: {'info': '000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0\n', 'desc': 'Operations error'} 2014-04-30 14:44:06.750 4095 TRACE keystone.common.wsgi 2014-04-30 14:44:06.755 4095 INFO eventlet.wsgi.server [-] - - [30/Apr/2014 14:44:06] "GET /v3/users/ldapuser)/projects HTTP/1.1" 500 424 0.047102

Following is my ldap config:

url=ldap:// user=CN=ldapuser,OU=Users,DC=example,DC=com password=abcdefg user_tree_dn=users,dc=example,dc=com ...(more)

pkumar gravatar imagepkumar ( 2014-04-30 16:53:34 -0500 )edit

Do you have assignment setup to use sql? Are both drivers enabled? If keystone user-list is bringing back ldap users, make sure you can see keystone tenant-list and keystone role-list. I see you have the user name option setup right too! Took me a while to figure that out.

mpetason gravatar imagempetason ( 2014-04-30 20:20:54 -0500 )edit

Yes, both drivers are enables as follows: [assignment] driver = keystone.assignment.backends.sql.Assignment [identity] driver = keystone.identity.backends.ldap.Identity

I can also get result of keystone tenant-list and keystone role-list just fine, so no issues there. One thing to note, keystone user-list is not showing sql users like admin, demo etc which makes me think that it is not even reading sql.

I had to setup username option otherwise it was sending wrong query to directory server.

pkumar gravatar imagepkumar ( 2014-05-01 01:12:20 -0500 )edit

answered 2014-04-29 04:36:14 -0500

nethawk gravatar image

In havana,you can save user,group,role,project in ldap,and other data in sql.

edit flag offensive delete link more


right, but the problem is that it is not working as expected. I can see all ldap users using keystone user-list but it is not showing me local users. Also, ldapuser and admin are not able to login as it is throwing following error: "Unable to retrieve authorized projects."

pkumar gravatar imagepkumar ( 2014-04-30 17:19:36 -0500 )edit

My understanding is that when you enable the ldap identity driver, you _only_ use LDAP users. So quite natural not so see SQL users anymore

mathias gravatar imagemathias ( 2014-12-13 09:25:02 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-04-26 09:28:19 -0500

Seen: 890 times

Last updated: Apr 29 '14