How can i integrate active directory in openstack using keystone ?

asked 2013-10-25 06:53:13 -0500

anonymous user


updated 2014-06-09 12:17:15 -0500

smaffulli gravatar image

how can i integrate active directory in openstack using keystone ?

As per my analysis with Openstack and AD integration there are two ways of integrating as suggested on this question about Swift and I haven't managed to successfully integrate AD with my OpenStack installation.

The suggestions for Swift are:

1) If your existing system is using LDAP or Active Directory, consider using the OpenStack Identity service backing on to this - it integrates well with swift.

2) If you have a 'special' system that has its own API, you can write a small module to put in the swift pipeline to handle the authorization decisions. You can find an example of how to develop a module in the OpenStack Operations Guide "Customize" chapter ()

I was trying for first option for last 4 days because there two type of attributes for tenant specially used for the integration with as keystone back end which are as follows:

a) AD tenant object creation with Class Organizationunit and change the Keystone .conf as per this setup: When we try to login via Horizon it says "Unable to authenticate using available projects." and this shows Authentication is happening and authorization is not happening using tenant,role,user integration. Also its not allowing to bind any with any serivce as the authorization is not completing as it is not able to authenticate using existing projects . Attached file with keystone log for this setup will give more clarity of information.

b) AD tenant object creation with Class groupOfNames and change the keystone.conf as per this setup. When we use this setup via Horizon it says " Unable to retrieve authorized projects." and it stops . Attached file with keystone log for this setup will give more clarity of information.

where as from both the setup, from the command line we can just list user,tenant, roles objects using ADMIN token … and this active directory is successfully happening.

Keystone log using Tenant object us with Organizationunit as class

2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] ******************** REQUEST ENVIRON ********************
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] SCRIPT_NAME = /v2.0
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] webob.adhoc_attrs = {'response': <Response at 0x460f310 200 OK>}
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] REQUEST_METHOD = POST
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] PATH_INFO = /tokens
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] SERVER_PROTOCOL = HTTP/1.0
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] REMOTE_ADDR =
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] CONTENT_LENGTH = 847
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] HTTP_USER_AGENT = python-keystoneclient
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] eventlet.posthooks = []
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] RAW_PATH_INFO = /v2.0/tokens
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] REMOTE_PORT = 51593
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] eventlet.input = <eventlet.wsgi.Input object at 0x45fe890>
2013-10-25 14:48:14    DEBUG [keystone.common.wsgi] wsgi.url_scheme ...
edit retag flag offensive close merge delete


Edit your question adding the logs, if you can. Use

smaffulli gravatar imagesmaffulli ( 2013-10-25 16:09:53 -0500 )edit

Are you trying to set this up again with Fuel 4.*? If so Havana allows for separation of services so that you don't have to use AD for tenants/roles. It makes it a lot easier to integrate. Let me know and I'll see if I can help out.

mpetason gravatar imagempetason ( 2014-06-07 09:35:01 -0500 )edit