How can i integrate active directory in openstack using keystone ?

asked 2013-10-25 06:53:13 -0500

vinoth gravatar image

updated 2013-10-30 05:24:47 -0500

how can i integrate active directory in openstack using keystone ?

As per my analysis with Openstack and AD integration there are two ways of integrating as suggested on this question about Swift and I haven't managed to successfully integrate AD with my OpenStack installation.

The suggestions for Swift are:

1) If your existing system is using LDAP or Active Directory, consider using the OpenStack Identity service backing on to this - it integrates well with swift.

2) If you have a 'special' system that has its own API, you can write a small module to put in the swift pipeline to handle the authorization decisions. You can find an example of how to develop a module in the OpenStack Operations Guide "Customize" chapter ()

I was trying for first option for last 4 days because there two type of attributes for tenant specially used for the integration with as keystone back end which are as follows:

a) AD tenant object creation with Class Organizationunit and change the Keystone .conf as per this setup: When we try to login via Horizon it says "Unable to authenticate using available projects." and this shows Authentication is happening and authorization is not happening using tenant,role,user integration. Also its not allowing to bind any with any serivce as the authorization is not completing as it is not able to authenticate using existing projects . Attached file with keystone log for this setup will give more clarity of information.

b) AD tenant object creation with Class groupOfNames and change the keystone.conf as per this setup. When we use this setup via Horizon it says " Unable to retrieve authorized projects." and it stops . Attached file with keystone log for this setup will give more clarity of information.

where as from both the setup, from the command line we can just list user,tenant, roles objects using ADMIN token … and this active directory is successfully happening.

Keystone log using Tenant object us with Organizationunit as class

2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] ***** REQUEST ENVIRON ***** 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] SCRIPT_NAME = /v2.0 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] webob.adhoc_attrs = {'response': <response 0x460f310="" 200="" at="" ok="">} 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] REQUEST_METHOD = POST 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] PATH_INFO = /tokens 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] SERVER_PROTOCOL = HTTP/1.0 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] REMOTE_ADDR = 127.0.0.1 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] CONTENT_LENGTH = 847 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] HTTP_X_AUTH_TOKEN = MIICUAYJKoZIhvcNAQcCoIICQTCCAj0CAQExCTAHBgUrDgMCGjCCASkGCSqGSIb3DQEHAaCCARoEggEWeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0xMC0yNVQwOToxODoxNC4zNjA3NzYiLCAiZXhwaXJlcyI6ICIyMDEzLTEwLTI2VDA5OjE4OjE0WiIsICJpZCI6ICJwbGFjZWhvbGRlciJ9LCAic2VydmljZUNhdGFsb2ciOiBbXSwgInVzZXIiOiB7InVzZXJuYW1lIjogInl1dmEiLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogInl1dmEiLCAicm9sZXMiOiBbXSwgIm5hbWUiOiAieXV2YSJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogW119fX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAMBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAZlc46MJIcjRQKl5ucK9DDCBQhriu251mB3ZjVmJNFQntdUy6SaDFrt1cGXqS4QgRBbysBqhWk5NL5zwwsbk0M1V73-b8zNznhyppVffsh08lUkC9ytcCaU6AtSPO-YY1Vo9vIZ3FCOTVOS+i7bXk7elqLZSZuCe4YH7hnku6q7A= 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] HTTP_USER_AGENT = python-keystoneclient 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] eventlet.posthooks = [] 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] RAW_PATH_INFO = /v2.0/tokens 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] REMOTE_PORT = 51593 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] eventlet.input = <eventlet.wsgi.input 0x45fe890="" at="" object=""> 2013-10-25 14:48:14 DEBUG [keystone.common.wsgi] wsgi.url_scheme ... (more)

edit retag flag offensive close delete

Comments

Edit your question adding the logs, if you can. Use http://paste.openstack.org.

smaffulli ( 2013-10-25 16:09:53 -0500 )edit