Ask Your Question

Keystone Liberty intgration with OpenLDAP

asked 2016-02-16 02:04:22 -0500

yoba gravatar image

Dear openstack users,

I've integrate keystone with OpenLDAP but I can't retrieve all informations from OpenLDAP.

What's working is:

  • openstack user list --domain [domain]
  • openstack user show [ldapuser] --domain [domain]
  • openstack group list --domain [domain]
  • openstack group show [ldapgroup] --domain [domain]

What's not working

  • openstack group list --user acarnal --user-domain [domain]
  • openstack user list --group [ldapgroup] --domain [domain]

Regarding the keystone logs for the user ldap group membership, I discover that the filterstr that is parsed seems not correct:

LDAP search: base=ou=Group,dc=[domain],dc=localdomain scope=2 filterstr=(&(memberUid=cn=Alexandre Carnal,ou=People,dc=[domain],dc=localdomain)(objectClass=posixGroup)(cn=*)) attrs=['cn', 'description'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/

If I transform the OpenStack query to ldapsearch:

ldapsearch -H ldap://[openldapserver] -p -D cn=Manager,dc=[domain],dc=localdomain -W -x -b ou=Group,dc=[domain],dc=localdomain "(&(memberUid=cn=Alexandre Carnal,ou=People,dc=[domain],dc=localdomain)(objectClass=posixGroup)(cn=*))"

gives nothing too

With that ldapserach query it works:

ldapsearch -H ldap://[openldapserver] -D cn=Manager,dc=[domain],dc=localdomain -W -x -b ou=Group,dc=[domain],dc=localdomain "(&(memberUid=acarnal)(objectClass=posixGroup)(cn=*))"

It seems that the filter is not correct at the memberUID part. The python-openstack script parse the cn but the uid is enough.

Regarding the keystone logs for the user list from ldap group, I discover that the scope that is parsed seems not correct. Should be scope=2 instead of scope=0

LDAP search: base=cn=ISUsers,ou=Group,dc=gvadc,dc=localdomain scope=0 filterstr=(objectClass=posixGroup) attrs=['memberUid'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/common/ldap/

Transform that openstack ldapsearch to the ldapsearch:

ldapsearch -H ldap://srv-sharedsvc-p -D cn=Manager,dc=gvadc,dc=localdomain -s one -W -x -b cn=ISUSers,ou=Group,dc=gvadc,dc=localdomain "(objectClass=posixGroup)"

Gives nothing With the ldapsearch scope subtree it is working

ldapsearch -H ldap://srv-sharedsvc-p -D cn=Manager,dc=gvadc,dc=localdomain -W -x -b cn=ISUSers,ou=Group,dc=gvadc,dc=localdomain "(objectClass=posixGroup)"

Here's under my config files for the [domain] in /etc/keystone/keystone.[domain].conf

driver = ldap

url = ldap://[openldapserver]
suffix = dc=[domain],dc=localdomain
user = cn=Manager,dc=[domain],dc=localdomain
password = The$up3rM@n@gerPa$$w0rd
query_scope = sub

user_tree_dn = ou=People,dc=[domain],dc=localdomain
user_objectclass = posixAccount
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_attribute = enabled
group_tree_dn = ou=Group,dc=[domain],dc=localdomain
group_objectclass = posixGroup
group_id_attribute = gidNumber
group_name_attribute = cn
group_member_attribute = memberUid
group_desc_attribute = description
user_allow_create = false
user_allow_update = false
user_allow_delete = false
project_allow_create = false
project_allow_update = false
project_allow_delete = false
role_allow_create = false
role_allow_update = false
role_allow_delete = false
group_allow_create = false
group_allow_update = false
group_allow_delete = false

Keystone is installed on the controller Blade which host glance, neutron, ceilometer and the dashboard. I use OpenStack Liberty on CentOS 7.

Openstack-keystone is at version 1.7.2

So is it a bug, a config issue? Any help, any suggestion are welcome.

Thank you ... (more)

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-07-07 10:53:45 -0500

crd-u gravatar image

This may not help you immediately because it appears to be something that was added in Mitaka but see the group_members_are_ids option in keystone.conf:

# If the members of the group objectclass are user IDs rather than DNs, set
# this to true. This is the case when using posixGroup as the group objectclass
# and OpenDirectory. (boolean value)
#group_members_are_ids = false

I had the same problem as you and this option fixed that for me.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-02-16 02:04:22 -0500

Seen: 430 times

Last updated: Feb 16 '16