Ask Your Question

Keystone LDAP configuration

asked 2013-10-24 06:44:48 -0500

sngirame gravatar image

updated 2013-10-25 16:28:38 -0500

smaffulli gravatar image

As per below statements in security guide -

Keystone MUST NOT be allowed to write to LDAP services used for authentication outside of the OpenStack deployment as this would allow a sufficiently privileged keystone user to make changes to the LDAP directory.

Can someone please elaborate and let me know what needs to be configured so as to block keystone from writing to LDAP?

edit retag flag offensive close merge delete



sngirame gravatar imagesngirame ( 2013-10-25 10:51:55 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2013-10-25 16:27:32 -0500

smaffulli gravatar image

I believe documentation says that you need to configure your LDAP service so that keystone cannot write in there.

edit flag offensive delete link more


How to make sure this does not happen?

sngirame gravatar imagesngirame ( 2013-10-29 08:16:36 -0500 )edit

answered 2014-03-05 20:39:22 -0500

9lives gravatar image

Hello there, in the openstack config guide section keystone ldap you can find the following config which controls the access permission to the ldap data.

[ldap] user_allow_create = False

user_allow_update = False

user_allow_delete = False

tenant_allow_create = True

tenant_allow_update = True

tenant_allow_delete = True

role_allow_create = True

role_allow_update = True

role_allow_delete = True

Hope that helps!


edit flag offensive delete link more

answered 2014-07-11 06:27:00 -0500

DeepVish gravatar image

Hello, Even if you make following attribute false in keystone.conf, still keystone is able to update the ldap database if you do user-role-add.


user_allow_create = False

user_allow_update = False

user_allow_delete = False

tenant_allow_create = False

tenant_allow_update = False

tenant_allow_delete = False

role_allow_create = False

role_allow_update = False

role_allow_delete = False

One possible solution to block keystone for updating ldap is provide ldap admin user in keystone.conf who has only read access to ldap.


query_scope = sub

url = ldap://

user = cn=admin,dc=keystoneldap,dc=com

password = secret

You should make sure that user "cn=admin,dc=keystoneldap,dc=com" have only read access to ldap. This can achieved by using acl on ldap server.

Hope this is useful.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-10-24 06:44:48 -0500

Seen: 557 times

Last updated: Jul 11 '14