LDAP Group authentication for Keystone

asked 2015-02-17 00:22:14 -0600

HI All,

We have configured Openstack Juno On CentOS and integrated with LDAP for User authentication and works fine. Now we need to create groups and allow certain groups to access to given tenant instead of users. I have configured as below. But still it says "You are not authorized for any projects.". Any Help ?

###keystone.conf

[ldap]


url = ldap://IP
user = cn=admin,dc=mydomain,dc=com
password = passwd
suffix = dc=mydomain,dc=com


group_tree_dn =ou=groups,dc=mydomain,dc=com
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute = member
group_desc_attribute = description
group_allow_create = False
group_allow_update = False
group_allow_delete = False


user_tree_dn =ou=staff,dc=mydomain,dc=com
user_objectclass = inetOrgPerson
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_emulation = False
user_enabled_emulation_dn = cn=enabled_users,ou=staff,dc=mydomain,dc=com
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_tree_dn =ou=groups,ou=openstack,dc=mydomain,dc=com
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_domain_id_attribute = businessCategory
tenant_member_attribute = member
tenant_name_attribute = cn
tenant_allow_create = False
tenant_allow_update = False
tenant_allow_delete = False

role_tree_dn =ou=roles,ou=openstack,dc=mydomain,dc=com
role_objectclass = organizationalRole
role_member_attribute = roleOccupant
role_id_attribute = cn
role_name_attribute = cn
role_allow_create = False
role_allow_update = False
role_allow_delete = False

###----------------------LDAP Tree structure ------------------------

###GROUPS Creaed For Authentication

dn: cn=openstack,ou=groups,dc=mydomain,dc=com
cn: openstack
member: ou=staff,dc=mydomain,dc=com
objectclass: groupOfNames
objectclass: top

"member" Role assignment for a "dev" tenant for group "openstack"

dn: cn=member,cn=dev,ou=groups,ou=openstack,dc=mydomain,dc=com
cn: member
description: Role associated with openstack users
objectclass: organizationalRole
objectclass: top
roleoccupant: cn=openstack,ou=groups,dc=mydomain,dc=com

Thank You, ChamaraT

edit retag flag offensive close merge delete

Comments

Hi,

At least can anybody tell have you tried this ?

chamaraT gravatar imagechamaraT ( 2015-02-19 05:14:53 -0600 )edit