Platform9 Blog

OpenStack Keystone Authentication using Active Directory (AD)

A previous blog gave an overview of how to configure Keystone with LDAP. Microsoft Active Directory (AD) is another very popular directory service for many enterprises. This article gives an overview of how to configure Keystone authentication using Active Directory backend.

How to Integrate a AD backend in Keystone

Microsoft Active Directory (AD) is based on the LDAP protocol. AD is largely a directory for Windows users, devices, and applications. It requires a Microsoft Domain Controller so that users are able to single sign-on to resources that live within the domain structure.

Here’s a sample tree for users, tenants and roles in the AD configuration:

Users (OU=Users)

Tenants (OU=Tenants)
member(AdminUser, DevUser)

Roles (OU=Roles)

To integrate AD with Keystone, the configuration on the attribute organizationalRole must allow groupOfNames as a possible superior. For  CN=Organizational-Role, in attribute editor, edit possSuperior and add groupOfNames in the values.

Update the ldap section in the keystone.conf file

url = ldap://
user = CN=ldap,OU=Users,DC=pf9,DC=com
password = nonobviouspassword
use_dumb_member = True
dumb_member = CN=ldap,OU=Users,DC=pf9,DC=com
user_tree_dn = OU=Users,DC=pf9,DC=com
user_objectclass = person
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask  = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants

user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_tree_dn  = OU=Tenants,DC=pf9,DC=com
tenant_filter  =
tenant_objectclass = groupOfNames
tenant_id_attribute = cn
tenant_member_attribute  = member
tenant_name_attribute  = ou
tenant_desc_attribute = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore  =

tenant_allow_create  = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = OU=Roles,DC=pf9,DC=com
role_filter =
role_objectclass = organizationalRole
role_id_attribute  = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =

role_allow_create = True
role_allow_update = True
role_allow_delete = True


Keystone provides identity services, primarily authorization, for all OpenStack projects. It supports LDAP backend for authentication, in addition to the default SQL backend. This is fairly straightforward to setup and works easily with the existing LDAP or AD services in enterprises. 

See these blogs to configure Keystone with other popular Directory Services and SSO:
Keystone Authentication using LDAP
Keystone Authentication using ADFS
Configure Keystone Single Sign-on
Keystone Federation Setup


You may also enjoy

Migrating Off AWS: How to Move Production from AWS to Enterprise Data Centers Running OpenStack and Kubernetes

By Cody Hill

Harnessing Public Cloud model for Private and Edge Clouds

By Kamesh Pemmaraju

The browser you are using is outdated. For the best experience please download or update your browser to one of the following: