Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Liberty: Configure LDAP Active Directory back end for Keystone

I am attempting to set up an OpenStack platform that can query my company's Active Directory via LDAP to authenticate users.

I have set up my controller node through the installation of Keystone per the installation guide. I have service accounts set up in the default domain backed by the sql engine. I have an admin user and a demo user. I have an admin project and a demo project. I have user and admin roles set up.

I edited keystone.conf and enabled domain specific drivers and have set a domain config directory.

I restarted apache2 and ran openstack domain create --description "CorpNet Users" --enable corpnet.

I created /etc/keystone/domains/keystone.corpnet.conf. In it I think I set up LDAP parameters correctly, by using ldapsearch on the Linux command line to determine an appropriate LDAP server and other parameters for querying LDAP. The domain specific file looks like this:

[identity]
driver = ldap

[assignment]
driver = sql

[ldap]
url = ldap://DomainController.CorpSubDomain.CorpDomain.com
user = CN=MyUserName,OU=users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
#user = "myusername@CorpSubDomain.CorpDomain.com" #I have tried both user syntaxes with the same results
password = myPassword


user_tree_dn = OU=Users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
user_objectclass = person
#user_filter =
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
#user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_tree_dn = ou=Groups,DC=CorpSubDomain,DC=CorpDomain,DC=com
group_objectclass = groupOfNames
group_allow_create = False
group_allow_update = False
group_allow_delete = False

However, I'm not quite sure what to do next. Should all the LDAP users automatically be OpenStack users? If I run openstack user list I get The request you have made requires authentication. (HTTP 401)

If I run openstack user list --domain default I get a list of the users I created in the default domain.

If I run openstack user list --default corpnet I get no output (but also get no error message).

If I attempt to use the default admin user to add my corpnet username as an admin of the admin project (openstack role add --domain corpnet --user MyUserName admin) I again get The request you have made requires authentication.

If I run openstack role add --domain <identifier> --user MyUserName admin as one answer suggested, I also get an error that authentication is required.

As you can guess, I am not an administrator of the corporate AD infrastructure, so I have limited ability to troubleshoot from the LDAP server side.

It seems that I'm close to getting this working, but that I'm missing a key piece of the puzzle here. If anyone could suggest what my next step should be, or how to troubleshoot further, I'd appreciate it.

Liberty: Configure LDAP Active Directory back end for Keystone

I am attempting to set up an OpenStack platform that can query my company's Active Directory via LDAP to authenticate users.

I have set up my controller node through the installation of Keystone per the installation guide. I have service accounts set up in the default domain backed by the sql engine. I have an admin user and a demo user. I have an admin project and a demo project. I have user and admin roles set up.

I edited keystone.conf and enabled domain specific drivers and have set a domain config directory.

I restarted apache2 and ran openstack domain create --description "CorpNet Users" --enable corpnet.

I created /etc/keystone/domains/keystone.corpnet.conf. In it I think I set up LDAP parameters correctly, by using ldapsearch on the Linux command line to determine an appropriate LDAP server and other parameters for querying LDAP. The domain specific file looks like this:

[identity]
driver = ldap

[assignment]
driver = sql

[ldap]
url = ldap://DomainController.CorpSubDomain.CorpDomain.com
user = CN=MyUserName,OU=users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
#user = "myusername@CorpSubDomain.CorpDomain.com" #I have tried both user syntaxes with the same results
password = myPassword


user_tree_dn = OU=Users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
user_objectclass = person
#user_filter =
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
#user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_tree_dn = ou=Groups,DC=CorpSubDomain,DC=CorpDomain,DC=com
group_objectclass = groupOfNames
group_allow_create = False
group_allow_update = False
group_allow_delete = False

However, I'm not quite sure what to do next. Should all the LDAP users automatically be OpenStack users? If I run openstack user list I get The request you have made requires authentication. (HTTP 401)

If I run openstack user list --domain default I get a list of the users I created in the default domain.

If I run openstack user list --default corpnet I get no output (but also get no error message).

If I attempt to use the default admin user to add my corpnet username as an admin of the admin project (openstack role add --domain corpnet --user MyUserName admin) I again get The request you have made requires authentication.

If I run openstack role add --domain <identifier> --user MyUserName admin as one answer suggested, I also get an error that authentication is required.

In /var/log/keystone/keystone-wsgi-admin.log, I see that the "The request you have made requires authentication" seems to always be preceded by "No domain information specified as part of list request." Yet I did specify the domain (didn't I?) in my list request.

As you can guess, I am not an administrator of the corporate AD infrastructure, so I have limited ability to troubleshoot from the LDAP server side.

It seems that I'm close to getting this working, but that I'm missing a key piece of the puzzle here. If anyone could suggest what my next step should be, or how to troubleshoot further, I'd appreciate it.

Liberty: Configure LDAP Active Directory back end for Keystone

I am attempting to set up an OpenStack platform that can query my company's Active Directory via LDAP to authenticate users.

I have set up my controller node through the installation of Keystone per the installation guide. I have service accounts set up in the default domain backed by the sql engine. I have an admin user and a demo user. I have an admin project and a demo project. I have user and admin roles set up.

I edited keystone.conf and enabled domain specific drivers and have set a domain config directory.

I restarted apache2 and ran openstack domain create --description "CorpNet Users" --enable corpnet.

I created /etc/keystone/domains/keystone.corpnet.conf. In it I think I set up LDAP parameters correctly, by using ldapsearch on the Linux command line to determine an appropriate LDAP server and other parameters for querying LDAP. The domain specific file looks like this:

[identity]
driver = ldap

[assignment]
driver = sql

[ldap]
url = ldap://DomainController.CorpSubDomain.CorpDomain.com
user = CN=MyUserName,OU=users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
#user = "myusername@CorpSubDomain.CorpDomain.com" #I have tried both user syntaxes with the same results
password = myPassword


user_tree_dn = OU=Users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
user_objectclass = person
#user_filter =
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
#user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_tree_dn = ou=Groups,DC=CorpSubDomain,DC=CorpDomain,DC=com
group_objectclass = groupOfNames
group_allow_create = False
group_allow_update = False
group_allow_delete = False

However, I'm not quite sure what to do next. Should all the LDAP users automatically be OpenStack users? If I run openstack user list I get The request you have made requires authentication. (HTTP 401)

If I run openstack user list --domain default I get a list of the users I created in the default domain.

If I run openstack user list --default corpnet I get no output (but also get no error message).

If I attempt to use the default admin user to add my corpnet username as an admin of the admin project (openstack role add --domain corpnet --user MyUserName admin) I again get The request you have made requires authentication.

If I run openstack role add --domain <identifier> --user MyUserName admin as one answer suggested, I also get an error that authentication is required.

In /var/log/keystone/keystone-wsgi-admin.log, I see that the "The request you have made requires authentication" seems to always be preceded by "No domain information specified as part of list request." Yet I did specify the domain (didn't I?) in my list request.

As you can guess, I am not an administrator of the corporate AD infrastructure, so I have limited ability to troubleshoot from the LDAP server side.

It seems that I'm close to getting this working, but that I'm missing a key piece of the puzzle here. If anyone could suggest what my next step should be, or how to troubleshoot further, I'd appreciate it.

EDIT I have the following variables exported in my environment: OS_PROJECT_DOMAIN_ID, OS_USER_DOMAIN_ID, OS_PROJECT_NAME, OS_IDENTITY_API_VERSION, OS_PASSWORD, OS_AUTH_URL, OS_TOKEN, OS_USERNAME, OS_TENANT_NAME. I did do testing both with and without the OS_TOKEN. API version is set to 3.

Liberty: Configure LDAP Active Directory back end for Keystone

I am attempting to set up an OpenStack platform that can query my company's Active Directory via LDAP to authenticate users.

I have set up my controller node through the installation of Keystone per the installation guide. I have service accounts set up in the default domain backed by the sql engine. I have an admin user and a demo user. I have an admin project and a demo project. I have user and admin roles set up.

I edited keystone.conf and enabled domain specific drivers and have set a domain config directory.

I restarted apache2 and ran openstack domain create --description "CorpNet Users" --enable corpnet.

I created /etc/keystone/domains/keystone.corpnet.conf. In it I think I set up LDAP parameters correctly, by using ldapsearch on the Linux command line to determine an appropriate LDAP server and other parameters for querying LDAP. The domain specific file looks like this:

[identity]
driver = ldap

[assignment]
driver = sql

[ldap]
url = ldap://DomainController.CorpSubDomain.CorpDomain.com
user = CN=MyUserName,OU=users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
#user = "myusername@CorpSubDomain.CorpDomain.com" #I have tried both user syntaxes with the same results
password = myPassword


user_tree_dn = OU=Users,OU=CorporateOU1,OU=CorporateOU2,DC=CorpSubDomain,DC=CorpDomain,DC=com
user_objectclass = person
#user_filter =
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
#user_pass_attribute =
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_tree_dn = ou=Groups,DC=CorpSubDomain,DC=CorpDomain,DC=com
group_objectclass = groupOfNames
group_allow_create = False
group_allow_update = False
group_allow_delete = False

However, I'm not quite sure what to do next. Should all the LDAP users automatically be OpenStack users? If I run openstack user list I get The request you have made requires authentication. (HTTP 401)

If I run openstack user list --domain default I get a list of the users I created in the default domain.

If I run openstack user list --default --domain corpnet I get no output (but also get no error message).

If I attempt to use the default admin user to add my corpnet username as an admin of the admin project (openstack role add --domain corpnet --user MyUserName admin) I again get The request you have made requires authentication.

If I run openstack role add --domain <identifier> --user MyUserName admin as one answer suggested, I also get an error that authentication is required.

In /var/log/keystone/keystone-wsgi-admin.log, I see that the "The request you have made requires authentication" seems to always be preceded by "No domain information specified as part of list request." Yet I did specify the domain (didn't I?) in my list request.

As you can guess, I am not an administrator of the corporate AD infrastructure, so I have limited ability to troubleshoot from the LDAP server side.

It seems that I'm close to getting this working, but that I'm missing a key piece of the puzzle here. If anyone could suggest what my next step should be, or how to troubleshoot further, I'd appreciate it.

EDIT I have the following variables exported in my environment: OS_PROJECT_DOMAIN_ID, OS_USER_DOMAIN_ID, OS_PROJECT_NAME, OS_IDENTITY_API_VERSION, OS_PASSWORD, OS_AUTH_URL, OS_TOKEN, OS_USERNAME, OS_TENANT_NAME. I did do testing both with and without the OS_TOKEN. API version is set to 3.