Keystone is a OpenStack project that implements OpenStack’s identity API and provides authentication and authorization services to identify users of the OpenStack cloud. It also provides a catalog of all other deployed OpenStack services such as Nova, Neutron, Cinder and Glance. These services trust Keystone to create and manage user identities and credentials. For some enterprise deployments, Keystone may pass on the authentication task to an external service, such as LDAP or Microsoft Active Directory (AD). This article shows the basics of Keystone authentication using LDAP.
Keystone’s main purpose is authorization within an OpenStack deployment. It achieves this by issuing authorization tokens to authenticated users. The OpenStack identity service offers two mechanisms out of the box for authentication:
- Username password-based authentication – The identity service stores user credentials in the SQL database. Upon successful user credential validation, an access token is issued that must be embedded inside each subsequent request. By default, tokens expire after 24 hours, but this duration is configurable. This method is simple and works out of the box. However, it requires end users to create separate login credentials and does not lend itself to a federated model for authentication and authorization.
- LDAP-based authentication – OpenStack Keystone can be configured to integrate with LDAP as a source authority for authentication. Requests to the identity service are delegated to the LDAP service, which will authorize or deny requests. A token is generated on successful authentication. This method integrates seamlessly with existing authentication system at most enterprises. With this approach, existing users can access resources and execute APIs in a OpenStack cloud, without having to provision a new identity.
How to Integrate a LDAP Backend in Keystone
The first step is to configure Keystone to load the LDAP identity driver that can forward authentication requests to an LDAP server, and get back a principal name, tenant and roles. To do that, the values in the [ldap] section of the file etc/keystone/keystone.conf are modified.
- Enable the LDAP driver in the keystone.conf file, specified as
[identity] driver = keystone.identity.backends.ldap.Identity
- Define the destination LDAP server in the keystone.conf file:
[ldap] url = ldap://ldap.pf9.com user = dc=Manager,dc=pf9,dc=com password = nonobviouspassword suffix = dc=pf9,dc=com use_dumb_member = False allow_subtree_delete = False
- The LDAP directory will have to be updated with the required organizational units (OU). These are subsequently specified in the keystone.conf file:
[ldap] user_tree_dn = ou=Users,dc=pf9,dc=com user_objectclass = inetOrgPerson tenant_tree_dn = ou=Groups,dc=pf9,dc=com tenant_objectclass = groupOfNames role_tree_dn = ou=Roles,dc=pf9,dc=com role_objectclass = organizationalRole
- As a best practice, Keystone should have read-only access with the LDAP integration:
[ldap] user_allow_create = False user_allow_update = False user_allow_delete = False tenant_allow_create = False tenant_allow_update = False tenant_allow_delete = False role_allow_create = False role_allow_update = False role_allow_delete = False
- To restrict the scope of data returned by LDAP, set filters as desired:
[ldap] user_filter = (memberof=cn=devops-users,ou=workgroups,dc=pf9,dc=com) tenant_filter = role_filter =
The Keystone service needs to be restarted for the changes to become effective.
Keystone provides identity services, primarily authorization, for all OpenStack projects. It supports LDAP backend for authentication, in addition to the default SQL backend. This is fairly straightforward to setup and works easily with the existing LDAP or AD services in enterprises.
See these blogs to configure Keystone with other popular Directory Services and SSO:
Keystone Authentication using ADFS
Keystone Authentication using AD
Configure Keystone Single Sign-on
Keystone Federation Setup
Note: LDAP integration with Keystone is currently not supported in Platform9 Managed OpenStack.