Chapter 7. Identity Management
7.1. Secure LDAP Communication
If you have configured the Identity service (keystone) to authenticate against or to retrieve identity information from an LDAP server, you can secure LDAP communication for the Identity service using a CA certificate.
This section outlines how to obtain the CA certificate from Active Directory, how to convert the CA certificate file into Privacy Enhanced Mail (PEM) file format, and the three methods for configuring secure LDAP communication for the Identity service. The procedure in each method must be performed depending on where and how the CA trust is configured.
7.1.1. Obtaining the CA Certificate from Active Directory
The following code shows an example of how to query Active Directory to obtain the CA certificate. The CA_NAME is the name of the certificate (you can see it in mmc.exe) and the rest of the parameters can be changed according to your setup:
CA_NAME="WIN2012DOM-WIN2012-CA" AD_SUFFIX="dc=win2012dom,dc=com" LDAPURL="ldap://win2012.win2012dom.com" ADMIN_DN="cn=Administrator,cn=Users,$AD_SUFFIX" ADMINPASSWORD="MyPassword" CA_CERT_DN="cn=latexmath:[$CA_NAME,cn=certification authorities,cn=public key services,cn=services,cn=configuration,$]AD_SUFFIX" TMP_CACERT=/tmp/cacert.`date +'%Y%m%d%H%M%S'`.$$.pem ldapsearch -xLLL -H latexmath:[$LDAPURL -D `echo \"$]ADMIN_DN"`-W -s base -b`echo "$CA_CERT_DN"` objectclass=* cACertificate
7.1.2. Converting the CA Certificate into PEM file format
Create a file called /path/cacert.pem and include the contents of the LDAP query — that obtained the CA certificate from Active Directory, within the header and footer, as shown in the example below:
-----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB... -----END CERTIFICATE-----
For troubleshooting, you can execute the following query to check if LDAP is working, and to ensure the PEM certificate file was created correctly.
LDAPTLS_CACERT=/path/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -s base -b "" "objectclass=*" currenttime
The query should return a result similar to:
dn: currentTime: 20141022050611.0Z
You can run the following command to get a CA certificate if it was hosted by a web server.
Example
- $HOST=redhat.com
- $PORT=443
# echo Q | openssl s_client -connect $HOST:$PORT | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p'
7.1.3. Methods for Configuring Secure LDAP Communication for the Identity Service
7.1.3.1. Method 1
Use this method if the CA trust is configured at the LDAP level using a PEM file. Manually specify the location of a CA certificate file. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.
-
Copy the file containing your CA certificate chain in PEM format to the
/etc/openldap/certsdirectory. Edit
/etc/openldap/ldap.confand add the following directive, replacing [CA_FILE] with the location and name of the CA certificate file:TLS_CACERT /etc/openldap/certs/[CA_FILE]
Restart the httpd service:
# systemctl restart httpd.service
7.1.3.2. Method 2
Use this method if the CA trust is configured at the LDAP library level using a Network Security Services (NSS) database. Use the certutil command to import and trust a CA certificate into the NSS certificate database used by the OpenLDAP libraries. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.
Import and trust the certificate, replacing [CA_FILE] with the location and name of the CA certificate file:
# certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE] # certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
Confirm the CA certificate was imported correctly:
# certutil -d /etc/openldap/certs -L
Your CA certificate is listed, and the trust attributes are set to CT,,.
Restart the httpd service:
# systemctl restart httpd.service
7.1.3.3. Method 3
Use this method if the CA trust is configured at the Keystone level using a PEM file. The final method of securing communication between the Identity service and an LDAP server is to configure TLS for the Identity service.
However, unlike the two methods above, this method only secures LDAP communication for the Identity service and does not secure LDAP communication for other applications that use the OpenLDAP libraries.
The following procedure uses the openstack-config command to edit values in the /etc/keystone/keystone.conf file.
Enable TLS:
# openstack-config --set /etc/keystone/keystone.conf ldap use_tls True
Specify the location of the certificate, replacing [CA_FILE] with the name of the CA certificate:
# openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile [CA_FILE]
Specify the client certificate checks performed on incoming TLS sessions from the LDAP server, replacing [CERT_BEHAVIOR] with one of the behaviors listed below:
- demand
- a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
- allow
- a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
- never
- a certificate will never be requested.
# openstack-config --set /etc/keystone/keystone.conf ldap tls_req_cert [CERT_BEHAVIOR]
Restart the httpd service:
# systemctl restart httpd.service
