Hi, I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack . The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.
What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups). On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?) Problems when testing with horizon: - Login via ldap fails on authorization - If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list” This may also be since the AD contains about 20’000 users (too much data for the user/group management screen) The /etc/keystone/domains/keystone.example.com is as follows. [ldap] user_enabled_attribute=userAccountControl query_scope=sub user_filter= group_allow_delete=False page_size=0 use_tls=False password=NOT_HERE user_allow_update=False user_id_attribute=cn user_enabled_mask=2 suffix= dc=example,dc=com user_enabled_default=512 group_allow_update=False user_name_attribute=sAMAccountName chase_referrals=False group_allow_create=False user_allow_delete=False group_name_attribute=cn group_filter= group_member_attribute=member group_tree_dn=dc=example,dc=com group_objectclass = group group_desc_attribute= group_id_attribute= user_pass_attribute=userPassword user=cn=my-service-user user_allow_create=False user_tree_dn=dc=example,dc=com url=ldap://ldap.example.com user_objectclass=person [identity] driver=keystone.identity.backends.ldap.Identity Debugging for ldap was enabled to see the ldap bins/queries being sent out. Versions: keystone –version shows 2.3 Mikata (with initial install done by Fuel). Resources consulted so far: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html Book: openstack production recipies. Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there. Questions: - Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context? - Or tips on he above? - How can one assign users from LDAP to the _members_ or admin groups to get started? Thanks in advance, Sean _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
