Liberty: Configure LDAP Active Directory back end for Keystone
I am attempting to set up an OpenStack platform that can query my company's Active Directory via LDAP to authenticate users.
I have set up my controller node through the installation of Keystone per the installation guide. I have service accounts set up in the default domain backed by the sql engine. I have an admin
user and a demo
user. I have an admin
project and a demo
project. I have user
and admin
roles set up.
I edited keystone.conf and enabled domain specific drivers and have set a domain config directory.
I restarted apache2 and ran openstack domain create --description "CorpNet Users" --enable corpnet
.
I created /etc/keystone/domains/keystone.corpnet.conf
. In it I think I set up LDAP parameters correctly, by using ldapsearch
on the Linux command line to determine an appropriate LDAP server and other parameters for querying LDAP. The domain specific file looks like this:
[identity]
driver = ldap
[assignment]
driver = sql
[ldap]
url = ldap://DomainController.CorpSubDomain.CorpDomain.com
user = CN=MyUserName,OU=users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
#user = "myusername@CorpSubDomain.CorpDomain.com" #I have tried both user syntaxes with the same results
password = myPassword
user_tree_dn = OU=Users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
user_objectclass = person
#user_filter =
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
#user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_tree_dn = ou=Groups,DC=CorpSubDomain,DC=CorpDomain,DC=com
group_objectclass = groupOfNames
group_allow_create = False
group_allow_update = False
group_allow_delete = False
However, I'm not quite sure what to do next. Should all the LDAP users automatically be OpenStack users? If I run openstack user list
I get The request you have made requires authentication. (HTTP 401)
If I run openstack user list --domain default
I get a list of the users I created in the default domain.
If I run openstack user list --domain corpnet
I get no output (but also get no error message).
If I attempt to use the default admin
user to add my corpnet username as an admin of the admin project (openstack role add --domain corpnet --user MyUserName admin
) I again get The request you have made requires authentication.
If I run openstack role add --domain <identifier> --user MyUserName admin
as one answer suggested, I also get an error that authentication is required.
In /var/log/keystone/keystone-wsgi-admin.log
, I see that the "The request you have made requires authentication" seems to always be preceded by "No domain information specified as part of list request." Yet I did specify the domain (didn't I?) in my list request.
As you can guess, I am not an administrator of the corporate AD infrastructure, so I have limited ability to troubleshoot from the LDAP server side.
It seems that I'm close to getting this working, but that I'm missing a key piece of the puzzle here. If anyone could suggest what my next step should be, or how to troubleshoot further ...