Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to check OpenStack Keystone LDAP working ?

Hi everyone,

I set up a LDAP server and Openstack server with different machines. When I send ldapsearch from Openstack server to Ldap server it works(ldapsearch -x -LLL -h X.X.X.X -D cn=admin,dc=ldap,dc=example,dc=org -w XXXX -b dc=ldap,dc=example,dc=org ). But when I changed keystone.conf like https://docs.openstack.org/admin-guide/identity-integrate-with-ldap.html here. And write openstack user list it gives an error like The request you have made requires authentication. (HTTP 401)
But if I remove driver = ldap line, everyting works correctly. Also I could not run setsebool -P authlogin_nsswitch_use_ldap on command because of our server is ubuntu. Finally my keystone.conf looks like below:

[ldap] url = ldap://X.X.X.X
user = cn=admin,dc=ldap,dc=example,dc=org
password = XXXX
suffix = dc=ldap,dc=example,dc=org
user_tree_dn = ou=People,dc=ldap,dc=example,dc=org
user_objectclass = organizationalUnit
group_tree_dn = Groups,dc=ldap,dc=example,dc=org
group_objectclass = organizationalUnit
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False

ldapsearch -x

dn: dc=ldap,dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: example dc: ldap

dn: cn=admin,dc=ldap,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator

dn: ou=People,dc=ldap,dc=example,dc=org objectClass: organizationalUnit ou: People

dn: ou=Groups,dc=ldap,dc=example,dc=org objectClass: organizationalUnit ou: Groups