1.5. Integrate Identity with LDAP

Identity Service supports integration with an existing LDAP directory for authentication and authorization services.
Important
For OpenStack Identity to access an LDAP back end, you must enable the authlogin_nsswitch_use_ldap boolean value for SELinux on the Identity server. To enable and make the option persistent across reboots:
# setsebool -P authlogin_nsswitch_use_ldap
Note
You can integrate Identity with a single LDAP server.
To configure Identity, set options in the /etc/keystone/keystone.conf file. Modify these examples as needed.

Procedure 1.1. To integrate Identity with LDAP

  1. Enable the LDAP driver in the keystone.conf file:
    [identity]
    #driver = keystone.identity.backends.sql.Identity
    driver = keystone.identity.backends.ldap.Identity
  2. Define the destination LDAP server in the keystone.conf file:
    [ldap]
    url = ldap://localhost
    user = dc=Manager,dc=example,dc=org
    password = samplepassword
    suffix = dc=example,dc=org
    use_dumb_member = False
    allow_subtree_delete = False
  3. Create the organizational units (OU) in the LDAP directory, and define their corresponding location in the keystone.conf file:
    [ldap]
    user_tree_dn = ou=Users,dc=example,dc=org
    user_objectclass = inetOrgPerson
    
    tenant_tree_dn = ou=Groups,dc=example,dc=org
    tenant_objectclass = groupOfNames
    
    role_tree_dn = ou=Roles,dc=example,dc=org
    role_objectclass = organizationalRole
    Note
    These schema attributes are extensible for compatibility with various schemas. For example, this entry maps to the person attribute in Active Directory:
    user_objectclass = person
  4. A read-only implementation is recommended for LDAP integration. These permissions are applied to object types in the keystone.conf file:
    [ldap]
    user_allow_create = False
    user_allow_update = False
    user_allow_delete = False
    
    tenant_allow_create = False
    tenant_allow_update = False
    tenant_allow_delete = False
    
    role_allow_create = False
    role_allow_update = False
    role_allow_delete = False
  5. Restart the Identity service:
    # service keystone restart
    Warning
    During service restart, authentication and authorization are unavailable.
Additional LDAP integration settings
Set these options in the keystone.conf file.
Filters
Use filters to control the scope of data presented through LDAP.
[ldap]
user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
tenant_filter =
role_filter =
LDAP Account Status
Mask account status values for compatibility with various directory services. Superfluous accounts are filtered with user_filter.
For example, you can mask Active Directory account status attributes in the keystone.conf file:
[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512

1.5.1. Separate role authorization and user authentication

When you configure the Identity service to use an LDAP back end, you can split authentication and authorization using the Assignments feature.
The Assignments feature enables administrators to manage project role authorization using the Identity service's own SQL database, while still providing user authentication through the LDAP directory.
To configure this:

Procedure 1.2. Separating role authorization and user authentication through Assignments

  1. Configure the Identity service to authenticate users through the LDAP driver. To do so, first find the [identity] section in the /etc/keystone/keystone.conf configuration file. Then, set the driver configuration key in that section to keystone.identity.backends.ldap.Identity:
    [identity]
    driver = keystone.identity.backends.ldap.Identity
  2. Next, enable the Assignment driver. To do so, find the [assignment] section in the /etc/keystone/keystone.conf configuration file. Then, set the driver configuration key in that section to keystone.assignment.backends.sql.Assignment:
    [assignment]
    driver = keystone.assignment.backends.sql.Assignment
Using openstack-config, you can configure both drivers by running the following commands instead:
# openstack-config --set /etc/keystone/keystone.conf \
 identity driver keystone.identity.backends.ldap.Identity
# openstack-config --set /etc/keystone/keystone.conf \
 assignment driver keystone.assignment.backends.sql.Assignment

1.5.2. Secure the OpenStack Identity service connection to an LDAP back end

The Identity service supports the use of TLS to encrypt LDAP traffic. Before configuring this, you must first verify where your certificate authority file is located. For more information, see Section 1.2, “Certificates for PKI”.
Once you verify the location of your certificate authority file:

Procedure 1.3. Configuring TLS encryption on LDAP traffic

  1. Open the /etc/keystone/keystone.conf configuration file.
  2. Find the [ldap] section.
  3. In the [ldap] section, set the use_tls configuration key to True. Doing so will enable TLS.
  4. Configure the Identity service to use your certificate authorities file. To do so, set the tls_cacertfile configuration key in the ldap section to the certificate authorities file's path.
    Note
    You can also set the tls_cacertdir (also in the ldap section) to the directory where all certificate authorities files are kept. If both tls_cacertfile and tls_cacertdir are set, then the latter will be ignored.
  5. Specify what client certificate checks to perform on incoming TLS sessions from the LDAP server. To do so, set the tls_req_cert configuration key in the [ldap] section to demand, allow, or never:
    • demand: a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
    • allow: a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
    • never: a certificate will never be requested.
Using openstack-config, you can configure TLS encryption on LDAP traffic by running the following commands instead:
# openstack --config --set /etc/keystone/keystone.conf \
 ldap use_tls True
# openstack-config --set /etc/keystone/keystone.conf \
 ldap tls_cacertfile CA_FILE
# openstack-config --set /etc/keystone/keystone.conf \
 ldap tls_req_cert CERT_BEHAVIOR
Where:
  • CA_FILE is the absolute path to the certificate authorities file that should be used to encrypt LDAP traffic.
  • CERT_BEHAVIOR: specifies what client certificate checks to perform on an incoming TLS session from the LDAP server (demand, allow, or never).