Ask Your Question
1

openldap integration with keystone for authentication

asked 2013-09-24 08:02:39 -0500

Rakesh Kumar gravatar image

updated 2013-09-24 18:31:27 -0500

smaffulli gravatar image

Hi, We were trying to integrate keystone with local openldap server.

We used the following ldif file for setting up of the ldap tree. example.ldif

This is the keystone configuration file: keystone.conf

When we tried to access through the horizon as 'admin' user, horizon prompted the following error: "Unable to retrieve authorized Projects".

Here are the keystone logs: keystone.log

Thanks in advance

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
1

answered 2013-09-27 04:22:12 -0500

ananyasethi gravatar image

updated 2013-09-27 04:35:22 -0500

By default, keystone uses mysql database for authentication. But there is a provision to change this to ldap authentication.

We had setup a local ldap server. Instead a remote one can also ( and is generally ) used.

In /usr/local/etc/openldap/slapd.conf

add these lines:

include /usr/local/etc/openldap/schema/cosine.schema

include /usr/local/etc/openldap/schema/inetorgperson.schema

include /usr/local/etc/openldap/schema/misc.schema

Now, the ldap server needs to have 3 different trees for each identity type:

https://docs.google.com/document/d/1DihxdryIQ7AlAxBcfTZK4tpSQAO7Ii0P_ozRYGNu27k/edit?usp=sharing

A sample ldif file which we had used can be found at : http://pastebin.com/2B10nRd3

It is self-explanatory. We gave same userPassword(adminpass) for all the users here for our convenience. This password(adminpass) will also be used for logging in as admin in the horizon console.


Now, we come to the configuration of keystone.

A sample can be found at : http://pastebin.com/q53eAGt2 .

Please don’t use this file directly as all the ips and other configurations are as per my configuration.

Hence, I’ll highlight the changes i made to the default /etc/keystone/keystone.conf:

1) Uncomment

public_endpoint = http://localhost:5000/

admin_endpoint = http://localhost:35357/

This is because now the command:

keystone user-list won’t work with as it was with sql identity service.

So uncomment these and use

keystone --os-token admintokentobecopiedfromkeystone.conf --os-endpoint http://localhost:35357/v2.0/ user-list

2) debug = True

This is done so that logging in /var/log/keystone/keystone.log is enabled and can be used for any fixing any issues.

3) in [ identity ]

driver = keystone.identity.backends.ldap.Identity

instead of

driver = keystone.identity.backends.sql.Identity

4) all the things changed under [ldap] is self-explanatory


Now, we used packstack. In this keystone was using sql by default and sql entries contained each service (nova, cinder, etc) as a user which had their passwords stored in sql database. Now we also have entries for each of the services (nova, cinder, etc) in our ldap (as described in the above .ldif file), we have to change the password of each services in their respective /etc/ configuration folder.

So in,

1) /etc/nova/api-paste.ini

2) /etc/cinder/api-paste.ini

3) /etc/glance/glance-api.conf

4) /etc/swift/proxy-server.conf

Under [filter:authtoken]. We have to change

admin_password=adminpass

Now access of admin via glance should work.

As of now you can only add users via command line in the openstack server.

Changing of slapd.conf to allow adding of users by openstack admin should allow addition of users via horizon console. (Haven't experimented with this part)

edit flag offensive delete link more
0

answered 2014-06-18 18:48:14 -0500

ArunKant gravatar image

As the keystone logs indicate, scoped token authentication request is failing as there is no project 'admin' defined in assignment backend which stores the project and its role assignment data. If you are using sql backend for assignment, create project with that name and assign roles.

2013-09-24 18:12:19 DEBUG [keystone.common.wsgi] {"error": {"message": "Could not find project: admin", "code": 401, "title": "Not Authorized"}}

I will suggest moving to keystone v3 authentication format where you have more flexibility in terms of request format and support for combination of backends assuming you are using more recent keystone deployment.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-09-24 08:02:39 -0500

Seen: 2,145 times

Last updated: Jun 18 '14