A previous blog gave an overview of how to configure Keystone with LDAP. Microsoft Active Directory (AD) is another very popular directory service for many enterprises. This article gives an overview of how to configure Keystone authentication using Active Directory backend.

How to Integrate a AD backend in Keystone

Microsoft Active Directory (AD) is based on the LDAP protocol. AD is largely a directory for Windows users, devices, and applications. It requires a Microsoft Domain Controller so that users are able to single sign-on to resources that live within the domain structure.

Here’s a sample tree for users, tenants and roles in the AD configuration:

[code lang=”bash”]Users (OU=Users)
AdminUser
@id
@name
@mail
DevUser
@id
@name
@mail

Tenants (OU=Tenants)
DevTenant
@id
@name
@description
member(AdminUser, DevUser)
AdminRole
roleOccupant(AdminUser)
MemberRole
roleOccupant(DevUser)

Roles (OU=Roles)
AdminRole
@id
@name
MemberRole
@id
@name[/code]

To integrate AD with Keystone, the configuration on the attribute organizationalRole must allow groupOfNames as a possible superior. For  CN=Organizational-Role, in attribute editor, edit possSuperior and add groupOfNames in the values.

Update the ldap section in the keystone.conf file

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_tree_dn  = OU=Tenants,DC=pf9,DC=com
tenant_filter  =
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_member_attribute  = member
tenant_name_attribute  = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore  =

tenant_allow_create  = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = OU=Roles,DC=pf9,DC=com
role_filter =
role_objectclass = organizationalRole
role_id_attribute  = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =

role_allow_create = True
role_allow_update = True
role_allow_delete = True[/code]

Summary

Keystone provides identity services, primarily authorization, for all OpenStack projects. It supports LDAP backend for authentication, in addition to the default SQL backend. This is fairly straightforward to setup and works easily with the existing LDAP or AD services in enterprises. 

See these blogs to configure Keystone with other popular Directory Services and SSO:
Keystone Authentication using LDAP
Keystone Authentication using ADFS
Configure Keystone Single Sign-on
Keystone Federation Setup

• Author
• Recent Posts

Platform9

Platform9 is the only container management and orchestration solution that supports the complete lifecycle of the cloud-native journey on infrastructure anywhere. Our unique management plane simplifies operations, including observability & monitoring, increases uptime, minimizes costs, and scales as you scale. Built on open foundations, our platform enables enterprises to keep up with the ever-changing cloud-native ecosystem. Our cloud-native wizards provide Always-on Assurance™ every step of the way to ensure a smooth, simplified journey. Innovative enterprises like Juniper, Kingfisher Plc, Mavenir, Redfin, and Cloudera achieve 4x faster time-to-market, up to 90% reduction in operational costs, and 99.99% uptime.Platform9 is a better way to go cloud native, paving the way for an open distributed cloud

Latest posts by Platform9 (see all)

• Beyond Kubernetes Operations: Discover Platform9’s Always-On Assurance™ - November 29, 2023
• KubeCon 2023 Through Platform9’s Lens: Key Takeaways and Innovative Demos - November 14, 2023
• Getting to know Nate Conger: A candid conversation - June 12, 2023