Ask Your Question

Revision history [back]

How to configure OpenLDAP on Openstack Kilo

I have created an OpenLDAP server and have created a basic LDIF configuration. Config files here below.

keystone.conf [assignment] driver = keystone.identity.backends.sql.Identity

[identity] driver = keystone.identity.backends.ldap.Identity

[role] driver = keystone.identity.backends.sql.Identity

[resource] driver = keystone.identity.backends.sql.Identity

[ldap] url = ldap://10.XX.XX.XX user = cn=admin,dc=testlab,dc=com password = cloud suffix = dc=testlab,dc=com query_scope = sub use_dumb_member = false allow_subtree_delete = False user_tree_dn = ou=users,dc=testlab,dc=com user_objectclass = posixAccount user_id_attribute = uid user_name_attribute = cn user_description_attribute = displayName user_allow_create = False user_allow_update = False user_allow_delete = False user_filter = (memberof=cn=team,ou=groups,dc=testlab,dc=com)

LDIF Export

LDIF Export for dc=testlab,dc=com

Server: My LDAP Server (testlab.com)

Search Scope: sub

Search Filter: (objectClass=*)

Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net)

Version: 1.2.2

version: 1

Entry 1: dc=testlab,dc=com

dn: dc=testlab,dc=com dc: testlab o: testlab objectclass: top objectclass: dcObject objectclass: organization

Entry 2: cn=admin,dc=testlab,dc=com

dn: cn=admin,dc=testlab,dc=com cn: admin description: LDAP administrator objectclass: simpleSecurityObject objectclass: organizationalRole userpassword: {SSHA}e6h1pemWJULIgTqMLl4GLOTLeyqA/4k5

Entry 3: ou=groups,dc=testlab,dc=com

dn: ou=groups,dc=testlab,dc=com objectclass: organizationalUnit objectclass: top ou: groups

Entry 4: cn=dbaas,ou=groups,dc=testlab,dc=com

dn: cn=dbaas,ou=groups,dc=testlab,dc=com cn: dbaas gidnumber: 503 memberuid: gdavis memberuid: srath memberuid: ksivasubramanian memberuid: bsrinivasan objectclass: posixGroup objectclass: top

Entry 5: cn=developers,ou=groups,dc=testlab,dc=com

dn: cn=developers,ou=groups,dc=testlab,dc=com cn: developers gidnumber: 500 objectclass: posixGroup objectclass: top

Entry 6: cn=iaas,ou=groups,dc=testlab,dc=com

dn: cn=iaas,ou=groups,dc=testlab,dc=com cn: iaas gidnumber: 501 memberuid: gdavis memberuid: srath memberuid: sganesh memberuid: admin objectclass: posixGroup objectclass: top

Entry 7: cn=paas,ou=groups,dc=testlab,dc=com

dn: cn=paas,ou=groups,dc=testlab,dc=com cn: paas gidnumber: 502 memberuid: pramasamy memberuid: kkumar memberuid: skumar objectclass: posixGroup objectclass: top

Entry 8: cn=services,ou=groups,dc=testlab,dc=com

dn: cn=services,ou=groups,dc=testlab,dc=com cn: services gidnumber: 504 objectclass: posixGroup objectclass: top

Entry 9: ou=users,dc=testlab,dc=com

dn: ou=users,dc=testlab,dc=com objectclass: organizationalUnit objectclass: top ou: users

Entry 10: cn=admin,ou=users,dc=testlab,dc=com

dn: cn=admin,ou=users,dc=testlab,dc=com cn: admin gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin uid: admin uidnumber: 1013 userpassword: cloud

Entry 11: cn=bsrinivasan,ou=users,dc=testlab,dc=com

dn: cn=bsrinivasan,ou=users,dc=testlab,dc=com cn: bsrinivasan gidnumber: 500 givenname: Balakrishnan homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Srinivasan uid: bsrinivasan uidnumber: 1007 userpassword: cloud

Entry 12: cn=ceilometer,ou=users,dc=testlab,dc=com

dn: cn=ceilometer,ou=users,dc=testlab,dc=com cn: ceilometer gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ceilometer uid: ceilometer uidnumber: 1011 userpassword: cloud

Entry 13: cn=cinder,ou=users,dc=testlab,dc=com

dn: cn=cinder,ou=users,dc=testlab,dc=com cn: cinder gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Cinder uid: cinder uidnumber: 1016 userpassword: cloud

Entry 14: cn=demo,ou=users,dc=testlab,dc=com

dn: cn=demo,ou=users,dc=testlab,dc=com cn: demo gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Demo uid: demo uidnumber: 1015 userpassword: cloud

Entry 15: cn=gdavis,ou=users,dc=testlab,dc=com

dn: cn=gdavis,ou=users,dc=testlab,dc=com cn: gdavis gidnumber: 500 givenname: George homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Davis uid: gdavis uidnumber: 1000 userpassword: cloud

Entry 16: cn=glance,ou=users,dc=testlab,dc=com

dn: cn=glance,ou=users,dc=testlab,dc=com cn: glance gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Glance uid: glance uidnumber: 1009 userpassword: cloud

Entry 17: cn=heat,ou=users,dc=testlab,dc=com

dn: cn=heat,ou=users,dc=testlab,dc=com cn: heat gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Heat uid: heat uidnumber: 1010 userpassword: cloud

Entry 18: cn=kkumar,ou=users,dc=testlab,dc=com

dn: cn=kkumar,ou=users,dc=testlab,dc=com cn: kkumar gidnumber: 500 givenname: Kishore homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Kumar uid: kkumar uidnumber: 1004 userpassword: cloud

Entry 19: cn=ksivasubramanian,ou=users,dc=testlab,dc=com

dn: cn=ksivasubramanian,ou=users,dc=testlab,dc=com cn: ksivasubramanian gidnumber: 500 givenname: Kiruthika homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Sivasubramanian uid: ksivasubramanian uidnumber: 1003 userpassword: cloud

Entry 20: cn=neutron,ou=users,dc=testlab,dc=com

dn: cn=neutron,ou=users,dc=testlab,dc=com cn: neutron gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Neutron uid: neutron uidnumber: 1012 userpassword: cloud

Entry 21: cn=nova,ou=users,dc=testlab,dc=com

dn: cn=nova,ou=users,dc=testlab,dc=com cn: nova gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Nova uid: nova uidnumber: 1008 userpassword: cloud

Entry 22: cn=pramasamy,ou=users,dc=testlab,dc=com

dn: cn=pramasamy,ou=users,dc=testlab,dc=com cn: pramasamy gidnumber: 500 givenname: Parthiban homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ramasamy uid: pramasamy uidnumber: 1002 userpassword: cloud

Entry 23: cn=sganesh,ou=users,dc=testlab,dc=com

dn: cn=sganesh,ou=users,dc=testlab,dc=com cn: sganesh gidnumber: 500 givenname: Saravana homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ganesh uid: sganesh uidnumber: 1006 userpassword: cloud

Entry 24: cn=skumar,ou=users,dc=testlab,dc=com

dn: cn=skumar,ou=users,dc=testlab,dc=com cn: skumar gidnumber: 500 givenname: Senthil homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Kumar uid: skumar uidnumber: 1005 userpassword: cloud

Entry 25: cn=srath,ou=users,dc=testlab,dc=com

dn: cn=srath,ou=users,dc=testlab,dc=com cn: srath gidnumber: 500 givenname: Snehasish homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Rath uid: srath uidnumber: 1001 userpassword: cloud

Entry 26: cn=swift,ou=users,dc=testlab,dc=com

dn: cn=swift,ou=users,dc=testlab,dc=com cn: swift gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Swift uid: swift uidnumber: 1014 userpassword: cloud

Entry 27: cn=trove,ou=users,dc=testlab,dc=com

dn: cn=trove,ou=users,dc=testlab,dc=com cn: trove gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Trove uid: trove uidnumber: 1017 userpassword: cloud

How to configure OpenLDAP on Openstack Kilo

I have created an OpenLDAP server and have created a basic LDIF configuration. Config files here below.

Question: Should the services be also created under the "users" group? What about tenants?

I use Canonical OpenStack (OpenStack Kilo) with a configured DNS server and a LDAP server .

keystone.conf

[assignment]
driver = keystone.identity.backends.sql.Identity

keystone.identity.backends.sql.Identity [identity] driver = keystone.identity.backends.ldap.Identity

keystone.identity.backends.ldap.Identity [role] driver = keystone.identity.backends.sql.Identity

keystone.identity.backends.sql.Identity [resource] driver = keystone.identity.backends.sql.Identity

keystone.identity.backends.sql.Identity [ldap] url = ldap://10.XX.XX.XX user = cn=admin,dc=testlab,dc=com password = cloud suffix = dc=testlab,dc=com query_scope = sub use_dumb_member = false allow_subtree_delete = False user_tree_dn = ou=users,dc=testlab,dc=com user_objectclass = posixAccount user_id_attribute = uid user_name_attribute = cn user_description_attribute = displayName user_allow_create = False user_allow_update = False user_allow_delete = False user_filter = (memberof=cn=team,ou=groups,dc=testlab,dc=com)

(memberof=cn=team,ou=groups,dc=testlab,dc=com)

LDIF Export

# LDIF Export for dc=testlab,dc=com

dc=testlab,dc=com # Server: My LDAP Server (testlab.com)

(testlab.com) # Search Scope: sub

sub # Search Filter: (objectClass=*)

(objectClass=*) # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net)

(http://phpldapadmin.sourceforge.net) # Version: 1.2.2

1.2.2 version: 1

1 # Entry 1: dc=testlab,dc=com

dc=testlab,dc=com dn: dc=testlab,dc=com dc: testlab o: testlab objectclass: top objectclass: dcObject objectclass: organization

organization # Entry 2: cn=admin,dc=testlab,dc=com

cn=admin,dc=testlab,dc=com dn: cn=admin,dc=testlab,dc=com cn: admin description: LDAP administrator objectclass: simpleSecurityObject objectclass: organizationalRole userpassword: {SSHA}e6h1pemWJULIgTqMLl4GLOTLeyqA/4k5

{SSHA}############################### # Entry 3: ou=groups,dc=testlab,dc=com

dn: ou=groups,dc=testlab,dc=com dn: ou=groups,dc=testlab,dc=com objectclass: organizationalUnit objectclass: top ou: groups

groups # Entry 4: cn=dbaas,ou=groups,dc=testlab,dc=com

dn: cn=dbaas,ou=groups,dc=testlab,dc=com cn=team4,ou=groups,dc=testlab,dc=com dn: cn=team4,ou=groups,dc=testlab,dc=com cn: dbaas gidnumber: 503 memberuid: gdavis memberuid: srath memberuid: ksivasubramanian memberuid: bsrinivasan userTeam4 objectclass: posixGroup objectclass: top

top # Entry 5: cn=developers,ou=groups,dc=testlab,dc=com

dn: cn=developers,ou=groups,dc=testlab,dc=com cn: developers cn=team5,ou=groups,dc=testlab,dc=com dn: cn=team5,ou=groups,dc=testlab,dc=com cn: team5 gidnumber: 500 objectclass: posixGroup objectclass: top

top # Entry 6: cn=iaas,ou=groups,dc=testlab,dc=com

dn: cn=iaas,ou=groups,dc=testlab,dc=com cn: iaas cn=team1,ou=groups,dc=testlab,dc=com dn: cn=team1,ou=groups,dc=testlab,dc=com cn: team1 gidnumber: 501 memberuid: gdavis memberuid: srath memberuid: sganesh memberuid: admin userTeam1 objectclass: posixGroup objectclass: top

top # Entry 7: cn=paas,ou=groups,dc=testlab,dc=com

dn: cn=paas,ou=groups,dc=testlab,dc=com cn: paas cn=team2,ou=groups,dc=testlab,dc=com dn: cn=team2,ou=groups,dc=testlab,dc=com cn: team2 gidnumber: 502 memberuid: pramasamy memberuid: kkumar memberuid: skumar userTeam2 objectclass: posixGroup objectclass: top

top # Entry 8: cn=services,ou=groups,dc=testlab,dc=com

dn: cn=services,ou=groups,dc=testlab,dc=com dn: cn=services,ou=groups,dc=testlab,dc=com cn: services gidnumber: 504 objectclass: posixGroup objectclass: top

top # Entry 9: ou=users,dc=testlab,dc=com

dn: ou=users,dc=testlab,dc=com dn: ou=users,dc=testlab,dc=com objectclass: organizationalUnit objectclass: top ou: users

users # Entry 10: cn=admin,ou=users,dc=testlab,dc=com

dn: cn=admin,ou=users,dc=testlab,dc=com dn: cn=admin,ou=users,dc=testlab,dc=com cn: admin gidnumber: 504 givenname: Openstack homedirectory: /home /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin uid: admin uidnumber: 1013 userpassword: cloud

Entry 11: cn=bsrinivasan,ou=users,dc=testlab,dc=com

dn: cn=bsrinivasan,ou=users,dc=testlab,dc=com cn: bsrinivasan cloud # Entry 12: cn=ceilometer,ou=users,dc=testlab,dc=com dn: cn=ceilometer,ou=users,dc=testlab,dc=com cn: ceilometer gidnumber: 504 givenname: Openstack homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ceilometer uid: ceilometer uidnumber: 1011 userpassword: cloud # Entry 13: cn=cinder,ou=users,dc=testlab,dc=com dn: cn=cinder,ou=users,dc=testlab,dc=com cn: cinder gidnumber: 504 givenname: Openstack homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Cinder uid: cinder uidnumber: 1016 userpassword: cloud # Entry 14: cn=demo,ou=users,dc=testlab,dc=com dn: cn=demo,ou=users,dc=testlab,dc=com cn: demo gidnumber: 504 givenname: Openstack homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Demo uid: demo uidnumber: 1015 userpassword: cloud # Entry 15: cn=userTeam1,ou=users,dc=testlab,dc=com dn: cn=userTeam1,ou=users,dc=testlab,dc=com cn: userTeam1 gidnumber: 500 givenname: Balakrishnan homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Srinivasan uid: bsrinivasan uidnumber: 1007 userpassword: cloud

Entry 12: cn=ceilometer,ou=users,dc=testlab,dc=com

dn: cn=ceilometer,ou=users,dc=testlab,dc=com cn: ceilometer gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ceilometer uid: ceilometer uidnumber: 1011 userpassword: cloud

Entry 13: cn=cinder,ou=users,dc=testlab,dc=com

dn: cn=cinder,ou=users,dc=testlab,dc=com cn: cinder gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Cinder uid: cinder uidnumber: 1016 userpassword: cloud

Entry 14: cn=demo,ou=users,dc=testlab,dc=com

dn: cn=demo,ou=users,dc=testlab,dc=com cn: demo gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Demo uid: demo uidnumber: 1015 userpassword: cloud

Entry 15: cn=gdavis,ou=users,dc=testlab,dc=com

dn: cn=gdavis,ou=users,dc=testlab,dc=com cn: gdavis user homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Team1 uid: userTeam1 uidnumber: 1000 userpassword: cloud # Entry 16: cn=glance,ou=users,dc=testlab,dc=com dn: cn=glance,ou=users,dc=testlab,dc=com cn: glance gidnumber: 504 givenname: Openstack homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Glance uid: glance uidnumber: 1009 userpassword: cloud # Entry 17: cn=heat,ou=users,dc=testlab,dc=com dn: cn=heat,ou=users,dc=testlab,dc=com cn: heat gidnumber: 504 givenname: Openstack homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Heat uid: heat uidnumber: 1010 userpassword: cloud # Entry 18: cn=userTeam2,ou=users,dc=testlab,dc=com dn: cn=userTeam2,ou=users,dc=testlab,dc=com cn: userTeam2 gidnumber: 500 givenname: George homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Davis uid: gdavis uidnumber: 1000 userpassword: cloud

Entry 16: cn=glance,ou=users,dc=testlab,dc=com

dn: cn=glance,ou=users,dc=testlab,dc=com cn: glance gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Glance uid: glance uidnumber: 1009 userpassword: cloud

Entry 17: cn=heat,ou=users,dc=testlab,dc=com

dn: cn=heat,ou=users,dc=testlab,dc=com cn: heat gidnumber: 504 givenname: Openstack homedirectory: /home objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Heat uid: heat uidnumber: 1010 userpassword: cloud

Entry 18: cn=kkumar,ou=users,dc=testlab,dc=com

dn: cn=kkumar,ou=users,dc=testlab,dc=com cn: kkumar user homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Team2 uid: userTeam2 uidnumber: 1004 userpassword: cloud # Entry 19: cn=userTeam4,ou=users,dc=testlab,dc=com dn: cn=userTeam4,ou=users,dc=testlab,dc=com cn: userTeam4 gidnumber: 500 givenname: Kishore homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Kumar uid: kkumar uidnumber: 1004 userpassword: cloud

Entry 19: cn=ksivasubramanian,ou=users,dc=testlab,dc=com

dn: cn=ksivasubramanian,ou=users,dc=testlab,dc=com cn: ksivasubramanian gidnumber: 500 givenname: Kiruthika homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Sivasubramanian uid: ksivasubramanian user homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Team4 uid: userTeam4 uidnumber: 1003 userpassword: cloud

cloud # Entry 20: cn=neutron,ou=users,dc=testlab,dc=com

dn: cn=neutron,ou=users,dc=testlab,dc=com dn: cn=neutron,ou=users,dc=testlab,dc=com cn: neutron gidnumber: 504 givenname: Openstack homedirectory: /home /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Neutron uid: neutron uidnumber: 1012 userpassword: cloud

cloud # Entry 21: cn=nova,ou=users,dc=testlab,dc=com

dn: cn=nova,ou=users,dc=testlab,dc=com dn: cn=nova,ou=users,dc=testlab,dc=com cn: nova gidnumber: 504 givenname: Openstack homedirectory: /home /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Nova uid: nova uidnumber: 1008 userpassword: cloud

Entry 22: cn=pramasamy,ou=users,dc=testlab,dc=com

dn: cn=pramasamy,ou=users,dc=testlab,dc=com cn: pramasamy gidnumber: 500 givenname: Parthiban homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ramasamy uid: pramasamy uidnumber: 1002 userpassword: cloud

Entry 23: cn=sganesh,ou=users,dc=testlab,dc=com

dn: cn=sganesh,ou=users,dc=testlab,dc=com cn: sganesh gidnumber: 500 givenname: Saravana homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Ganesh uid: sganesh uidnumber: 1006 userpassword: cloud

Entry 24: cn=skumar,ou=users,dc=testlab,dc=com

dn: cn=skumar,ou=users,dc=testlab,dc=com cn: skumar gidnumber: 500 givenname: Senthil homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Kumar uid: skumar uidnumber: 1005 userpassword: cloud

Entry 25: cn=srath,ou=users,dc=testlab,dc=com

dn: cn=srath,ou=users,dc=testlab,dc=com cn: srath gidnumber: 500 givenname: Snehasish homedirectory: /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Rath uid: srath uidnumber: 1001 userpassword: cloud

cloud # Entry 26: cn=swift,ou=users,dc=testlab,dc=com

dn: cn=swift,ou=users,dc=testlab,dc=com dn: cn=swift,ou=users,dc=testlab,dc=com cn: swift gidnumber: 504 givenname: Openstack homedirectory: /home /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Swift uid: swift uidnumber: 1014 userpassword: cloud

cloud # Entry 27: cn=trove,ou=users,dc=testlab,dc=com

dn: cn=trove,ou=users,dc=testlab,dc=com dn: cn=trove,ou=users,dc=testlab,dc=com cn: trove gidnumber: 504 givenname: Openstack homedirectory: /home /home/ objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Trove uid: trove uidnumber: 1017 userpassword: cloud

cloud

How to configure OpenLDAP on Openstack Kilo

I have created an OpenLDAP server and have created a basic LDIF configuration. Config files here below.

Question: Should the services be also created under the "users" group? What about tenants?

I use Canonical OpenStack (OpenStack Kilo) with a configured DNS server and a LDAP server .

keystone.conf

[assignment]
driver = keystone.identity.backends.sql.Identity

[identity]
driver = keystone.identity.backends.ldap.Identity

[role]
driver = keystone.identity.backends.sql.Identity

[resource]
driver = keystone.identity.backends.sql.Identity

[ldap]
url = ldap://10.XX.XX.XX
user = cn=admin,dc=testlab,dc=com
password = cloud
suffix = dc=testlab,dc=com
query_scope = sub
use_dumb_member = false
allow_subtree_delete = False
user_tree_dn = ou=users,dc=testlab,dc=com
user_objectclass = posixAccount
user_id_attribute = uid
user_name_attribute = cn
user_description_attribute = displayName
user_allow_create = False
user_allow_update = False
user_allow_delete = False
user_filter = (memberof=cn=team,ou=groups,dc=testlab,dc=com)

LDIF Export

# LDIF Export for dc=testlab,dc=com
# Server: My LDAP Server (testlab.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net)
# Version: 1.2.2
 version: 1

# LDAP Server Domain configuration

# Entry 1: dc=testlab,dc=com
dn: dc=testlab,dc=com
dc: testlab
o: testlab
objectclass: top
objectclass: dcObject
objectclass: organization

# LDAP Admin User

# Entry 2: cn=admin,dc=testlab,dc=com
dn: cn=admin,dc=testlab,dc=com
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
userpassword: {SSHA}###############################

# Groups OU

# Entry 3: ou=groups,dc=testlab,dc=com
dn: ou=groups,dc=testlab,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

# Creation of Groups

# Entry 4: cn=team4,ou=groups,dc=testlab,dc=com
dn: cn=team4,ou=groups,dc=testlab,dc=com
cn: dbaas
gidnumber: 503
memberuid: userTeam4
objectclass: posixGroup
objectclass: top

# Entry 5: cn=team5,ou=groups,dc=testlab,dc=com
dn: cn=team5,ou=groups,dc=testlab,dc=com
cn: team5
gidnumber: 500
objectclass: posixGroup
objectclass: top

# Entry 6: cn=team1,ou=groups,dc=testlab,dc=com
dn: cn=team1,ou=groups,dc=testlab,dc=com
cn: team1
gidnumber: 501
memberuid: userTeam1
objectclass: posixGroup
objectclass: top

# Entry 7: cn=team2,ou=groups,dc=testlab,dc=com
dn: cn=team2,ou=groups,dc=testlab,dc=com
cn: team2
gidnumber: 502
memberuid: userTeam2
objectclass: posixGroup
objectclass: top

# Entry 8: cn=services,ou=groups,dc=testlab,dc=com
dn: cn=services,ou=groups,dc=testlab,dc=com
cn: services
gidnumber: 504
objectclass: posixGroup
objectclass: top
#End of Groups

# Creation of Users OU

# Entry 9: ou=users,dc=testlab,dc=com
dn: ou=users,dc=testlab,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

# Adding new users to Users OU and linking to specific groups.

# Entry 10: cn=admin,ou=users,dc=testlab,dc=com
dn: cn=admin,ou=users,dc=testlab,dc=com
cn: admin
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin
uid: admin
uidnumber: 1013
userpassword: cloud

# Entry 15: cn=userTeam1,ou=users,dc=testlab,dc=com
dn: cn=userTeam1,ou=users,dc=testlab,dc=com
cn: userTeam1
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team1
uid: userTeam1
uidnumber: 1000
userpassword: cloud

# Entry 18: cn=userTeam2,ou=users,dc=testlab,dc=com
dn: cn=userTeam2,ou=users,dc=testlab,dc=com
cn: userTeam2
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team2
uid: userTeam2
uidnumber: 1004
userpassword: cloud

# Entry 19: cn=userTeam4,ou=users,dc=testlab,dc=com
dn: cn=userTeam4,ou=users,dc=testlab,dc=com
cn: userTeam4
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team4
uid: userTeam4
uidnumber: 1003
userpassword: cloud

# Creation of OpenStack service accounts as users.    

# Entry 12: cn=ceilometer,ou=users,dc=testlab,dc=com
dn: cn=ceilometer,ou=users,dc=testlab,dc=com
cn: ceilometer
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Ceilometer
uid: ceilometer
uidnumber: 1011
userpassword: cloud

# Entry 13: cn=cinder,ou=users,dc=testlab,dc=com
dn: cn=cinder,ou=users,dc=testlab,dc=com
cn: cinder
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Cinder
uid: cinder
uidnumber: 1016
userpassword: cloud

# Entry 14: cn=demo,ou=users,dc=testlab,dc=com
dn: cn=demo,ou=users,dc=testlab,dc=com
cn: demo
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Demo
uid: demo
uidnumber: 1015
userpassword: cloud

# Entry 15: cn=userTeam1,ou=users,dc=testlab,dc=com
dn: cn=userTeam1,ou=users,dc=testlab,dc=com
cn: userTeam1
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team1
uid: userTeam1
uidnumber: 1000
userpassword: cloud

# Entry 16: cn=glance,ou=users,dc=testlab,dc=com
dn: cn=glance,ou=users,dc=testlab,dc=com
cn: glance
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Glance
uid: glance
uidnumber: 1009
userpassword: cloud

# Entry 17: cn=heat,ou=users,dc=testlab,dc=com
dn: cn=heat,ou=users,dc=testlab,dc=com
cn: heat
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Heat
uid: heat
uidnumber: 1010
userpassword: cloud

# Entry 18: cn=userTeam2,ou=users,dc=testlab,dc=com
dn: cn=userTeam2,ou=users,dc=testlab,dc=com
cn: userTeam2
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team2
uid: userTeam2
uidnumber: 1004
userpassword: cloud

# Entry 19: cn=userTeam4,ou=users,dc=testlab,dc=com
dn: cn=userTeam4,ou=users,dc=testlab,dc=com
cn: userTeam4
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team4
uid: userTeam4
uidnumber: 1003
userpassword: cloud

# Entry 20: cn=neutron,ou=users,dc=testlab,dc=com
dn: cn=neutron,ou=users,dc=testlab,dc=com
cn: neutron
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Neutron
uid: neutron
uidnumber: 1012
userpassword: cloud

# Entry 21: cn=nova,ou=users,dc=testlab,dc=com
dn: cn=nova,ou=users,dc=testlab,dc=com
cn: nova
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Nova
uid: nova
uidnumber: 1008
userpassword: cloud       

# Entry 26: cn=swift,ou=users,dc=testlab,dc=com
dn: cn=swift,ou=users,dc=testlab,dc=com
cn: swift
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Swift
uid: swift
uidnumber: 1014
userpassword: cloud

# Entry 27: cn=trove,ou=users,dc=testlab,dc=com
dn: cn=trove,ou=users,dc=testlab,dc=com
cn: trove
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Trove
uid: trove
uidnumber: 1017
userpassword: cloud

How to configure OpenLDAP on Openstack Kilo

I have created an OpenLDAP server and have created a basic LDIF configuration. configuration on the OpenLDAP server. Config files of which are here below.

Question: below. Question: Should the OpenStack services be also created under the "users" group? What about tenants?

the tenants, should it be in a separate OU? P.S.> I use Canonical OpenStack (OpenStack Kilo) with a configured DNS server and a LDAP server .Kilo).

keystone.conf

[assignment]
driver = keystone.identity.backends.sql.Identity

[identity]
driver = keystone.identity.backends.ldap.Identity

[role]
driver = keystone.identity.backends.sql.Identity

[resource]
driver = keystone.identity.backends.sql.Identity

[ldap]
url = ldap://10.XX.XX.XX
user = cn=admin,dc=testlab,dc=com
password = cloud
suffix = dc=testlab,dc=com
query_scope = sub
use_dumb_member = false
allow_subtree_delete = False
user_tree_dn = ou=users,dc=testlab,dc=com
user_objectclass = posixAccount
user_id_attribute = uid
user_name_attribute = cn
user_description_attribute = displayName
user_allow_create = False
user_allow_update = False
user_allow_delete = False
user_filter = (memberof=cn=team,ou=groups,dc=testlab,dc=com)
(memberof=cn=team1,ou=groups,dc=testlab,dc=com) # Only team 1 should have access to OpenStack

LDIF Export

# LDIF Export for dc=testlab,dc=com
# Server: My LDAP Server (testlab.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net)
# Version: 1.2.2
version: 1

# LDAP Server Domain configuration

# Entry 1: dc=testlab,dc=com
dn: dc=testlab,dc=com
dc: testlab
o: testlab
objectclass: top
objectclass: dcObject
objectclass: organization

# LDAP Admin User

# Entry 2: cn=admin,dc=testlab,dc=com
dn: cn=admin,dc=testlab,dc=com
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
userpassword: {SSHA}###############################

# Groups OU

# Entry 3: ou=groups,dc=testlab,dc=com
dn: ou=groups,dc=testlab,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

# Creation of Groups

# Entry 4: cn=team4,ou=groups,dc=testlab,dc=com
dn: cn=team4,ou=groups,dc=testlab,dc=com
cn: dbaas
gidnumber: 503
memberuid: userTeam4
objectclass: posixGroup
objectclass: top

# Entry 5: cn=team5,ou=groups,dc=testlab,dc=com
dn: cn=team5,ou=groups,dc=testlab,dc=com
cn: team5
gidnumber: 500
objectclass: posixGroup
objectclass: top

# Entry 6: cn=team1,ou=groups,dc=testlab,dc=com
dn: cn=team1,ou=groups,dc=testlab,dc=com
cn: team1
gidnumber: 501
memberuid: userTeam1
objectclass: posixGroup
objectclass: top

# Entry 7: cn=team2,ou=groups,dc=testlab,dc=com
dn: cn=team2,ou=groups,dc=testlab,dc=com
cn: team2
gidnumber: 502
memberuid: userTeam2
objectclass: posixGroup
objectclass: top

# Entry 8: cn=services,ou=groups,dc=testlab,dc=com
dn: cn=services,ou=groups,dc=testlab,dc=com
cn: services
gidnumber: 504
objectclass: posixGroup
objectclass: top
#End of Groups

# Creation of Users OU

# Entry 9: ou=users,dc=testlab,dc=com
dn: ou=users,dc=testlab,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

# Adding new users to Users OU and linking to specific groups.

# Entry 10: cn=admin,ou=users,dc=testlab,dc=com
dn: cn=admin,ou=users,dc=testlab,dc=com
cn: admin
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin
uid: admin
uidnumber: 1013
userpassword: cloud

# Entry 15: cn=userTeam1,ou=users,dc=testlab,dc=com
dn: cn=userTeam1,ou=users,dc=testlab,dc=com
cn: userTeam1
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team1
uid: userTeam1
uidnumber: 1000
userpassword: cloud

# Entry 18: cn=userTeam2,ou=users,dc=testlab,dc=com
dn: cn=userTeam2,ou=users,dc=testlab,dc=com
cn: userTeam2
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team2
uid: userTeam2
uidnumber: 1004
userpassword: cloud

# Entry 19: cn=userTeam4,ou=users,dc=testlab,dc=com
dn: cn=userTeam4,ou=users,dc=testlab,dc=com
cn: userTeam4
gidnumber: 500
givenname: user
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Team4
uid: userTeam4
uidnumber: 1003
userpassword: cloud

# Creation of OpenStack service accounts as users.    

# Entry 12: cn=ceilometer,ou=users,dc=testlab,dc=com
dn: cn=ceilometer,ou=users,dc=testlab,dc=com
cn: ceilometer
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Ceilometer
uid: ceilometer
uidnumber: 1011
userpassword: cloud

# Entry 13: cn=cinder,ou=users,dc=testlab,dc=com
dn: cn=cinder,ou=users,dc=testlab,dc=com
cn: cinder
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Cinder
uid: cinder
uidnumber: 1016
userpassword: cloud

# Entry 14: cn=demo,ou=users,dc=testlab,dc=com
dn: cn=demo,ou=users,dc=testlab,dc=com
cn: demo
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Demo
uid: demo
uidnumber: 1015
userpassword: cloud

# Entry 16: cn=glance,ou=users,dc=testlab,dc=com
dn: cn=glance,ou=users,dc=testlab,dc=com
cn: glance
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Glance
uid: glance
uidnumber: 1009
userpassword: cloud

# Entry 17: cn=heat,ou=users,dc=testlab,dc=com
dn: cn=heat,ou=users,dc=testlab,dc=com
cn: heat
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Heat
uid: heat
uidnumber: 1010
userpassword: cloud

# Entry 20: cn=neutron,ou=users,dc=testlab,dc=com
dn: cn=neutron,ou=users,dc=testlab,dc=com
cn: neutron
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Neutron
uid: neutron
uidnumber: 1012
userpassword: cloud

# Entry 21: cn=nova,ou=users,dc=testlab,dc=com
dn: cn=nova,ou=users,dc=testlab,dc=com
cn: nova
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Nova
uid: nova
uidnumber: 1008
userpassword: cloud       

# Entry 26: cn=swift,ou=users,dc=testlab,dc=com
dn: cn=swift,ou=users,dc=testlab,dc=com
cn: swift
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Swift
uid: swift
uidnumber: 1014
userpassword: cloud

# Entry 27: cn=trove,ou=users,dc=testlab,dc=com
dn: cn=trove,ou=users,dc=testlab,dc=com
cn: trove
gidnumber: 504
givenname: Openstack
homedirectory: /home/
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Trove
uid: trove
uidnumber: 1017
userpassword: cloud