How to rightly configure OpenLDAP for Openstack Kilo

asked 2016-06-17 07:58:47 -0500

georgejosephdavis gravatar image

updated 2016-06-19 23:09:02 -0500

I have created a basic LDIF configuration on the OpenLDAP server. Config files of which are here below. Question: Should the OpenStack services be also created under the "users" group? What about the tenants, should it be in a separate OU? P.S.> I use Canonical OpenStack (OpenStack Kilo).

keystone.conf

[assignment]
driver = keystone.identity.backends.sql.Identity

[identity]
driver = keystone.identity.backends.ldap.Identity

[role]
driver = keystone.identity.backends.sql.Identity

[resource]
driver = keystone.identity.backends.sql.Identity

[ldap]
url = ldap://10.XX.XX.XX
user = cn=admin,dc=testlab,dc=com
password = cloud
suffix = dc=testlab,dc=com
query_scope = sub
use_dumb_member = false
allow_subtree_delete = False
user_tree_dn = ou=users,dc=testlab,dc=com
user_objectclass = posixAccount
user_id_attribute = uid
user_name_attribute = cn
user_description_attribute = displayName
user_allow_create = False
user_allow_update = False
user_allow_delete = False
user_filter = (memberof=cn=team1,ou=groups,dc=testlab,dc=com) # Only team 1 should have access to OpenStack

LDIF Export

# LDIF Export for dc=testlab,dc=com
# Server: My LDAP Server (testlab.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net)
# Version: 1.2.2
version: 1

# LDAP Server Domain configuration

# Entry 1: dc=testlab,dc=com
dn: dc=testlab,dc=com
dc: testlab
o: testlab
objectclass: top
objectclass: dcObject
objectclass: organization

# LDAP Admin User

# Entry 2: cn=admin,dc=testlab,dc=com
dn: cn=admin,dc=testlab,dc=com
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
userpassword: {SSHA}###############################

# Groups OU

# Entry 3: ou=groups,dc=testlab,dc=com
dn: ou=groups,dc=testlab,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

# Creation of Groups

# Entry 4: cn=team4,ou=groups,dc=testlab,dc=com
dn: cn=team4,ou=groups,dc=testlab,dc=com
cn: dbaas
gidnumber: 503
memberuid: userTeam4
objectclass: posixGroup
objectclass: top

# Entry 5: cn=team5,ou=groups,dc=testlab,dc=com
dn: cn=team5,ou=groups,dc=testlab,dc=com
cn: team5
gidnumber: 500
objectclass: posixGroup
objectclass: top

# Entry 6: cn=team1,ou=groups,dc=testlab,dc=com
dn: cn=team1,ou=groups,dc=testlab,dc=com
cn: team1
gidnumber: 501
memberuid: userTeam1
objectclass: posixGroup
objectclass: top

# Entry 7: cn=team2,ou=groups,dc=testlab,dc=com
dn: cn=team2,ou=groups,dc=testlab,dc=com
cn: team2
gidnumber: 502
memberuid: userTeam2
objectclass: posixGroup
objectclass: top

# Entry 8: cn=services,ou=groups,dc=testlab,dc=com
dn: cn=services,ou=groups,dc=testlab,dc=com
cn: services
gidnumber: 504
objectclass: posixGroup
objectclass: top
#End of Groups

# Creation of Users OU

# Entry 9: ou=users,dc=testlab,dc=com
dn: ou=users,dc=testlab,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

# Adding new users to Users OU and linking to specific groups.

# Entry 10: cn=admin,ou=users,dc=testlab,dc=com
dn: cn=admin,ou=users,dc=testlab,dc=com
cn: admin
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin
uid: admin
uidnumber: 1013
userpassword: cloud

# Entry 15: cn=userTeam1,ou=users,dc=testlab,dc=com
dn: cn=userTeam1,ou=users,dc=testlab,dc=com
cn ...
(more)
edit retag flag offensive close merge delete