A previous blog gave an overview of how to configure Keystone with LDAP. Microsoft Active Directory (AD) is another very popular directory service for many enterprises. This article gives an overview of how to configure Keystone authentication using Active Directory backend.
How to Integrate a AD backend in Keystone
Microsoft Active Directory (AD) is based on the LDAP protocol. AD is largely a directory for Windows users, devices, and applications. It requires a Microsoft Domain Controller so that users are able to single sign-on to resources that live within the domain structure.
Here’s a sample tree for users, tenants and roles in the AD configuration:
Users (OU=Users) AdminUser @id @name @mail DevUser @id @name @mail</span> Tenants (OU=Tenants) DevTenant @id @name @description member(AdminUser, DevUser) AdminRole roleOccupant(AdminUser) MemberRole roleOccupant(DevUser) Roles (OU=Roles) AdminRole @id @name MemberRole @id @name
To integrate AD with Keystone, the configuration on the attribute organizationalRole must allow groupOfNames as a possible superior. For CN=Organizational-Role, in attribute editor, edit possSuperior and add groupOfNames in the values.
Update the ldap section in the keystone.conf file
[ldap] url = ldap://dc.pf9.com user = CN=ldap,OU=Users,DC=pf9,DC=com password = nonobviouspassword use_dumb_member = True dumb_member = CN=ldap,OU=Users,DC=pf9,DC=com user_tree_dn = OU=Users,DC=pf9,DC=com user_objectclass = person user_id_attribute = cn user_name_attribute = cn user_mail_attribute = mail user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = password,tenant_id,tenants user_allow_create = False user_allow_update = False user_allow_delete = False tenant_tree_dn = OU=Tenants,DC=pf9,DC=com tenant_filter = tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_enabled_attribute = extensionName tenant_attribute_ignore = tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True role_tree_dn = OU=Roles,DC=pf9,DC=com role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = ou role_member_attribute = roleOccupant role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True
Keystone provides identity services, primarily authorization, for all OpenStack projects. It supports LDAP backend for authentication, in addition to the default SQL backend. This is fairly straightforward to setup and works easily with the existing LDAP or AD services in enterprises.
See these blogs to configure Keystone with other popular Directory Services and SSO:
Keystone Authentication using LDAP
Keystone Authentication using ADFS
Configure Keystone Single Sign-on
Keystone Federation Setup