Chapter 8. Identity management with LDAP
If you have configured the Identity service (keystone) to authenticate against or to retrieve identity information from an LDAP server, you can secure LDAP communication for the Identity service by using a CA certificate.
You must obtain the CA certificate from Active Directory, convert the CA certificate file into Privacy Enhanced Mail (PEM) file format, and configure secure LDAP communication for the Identity service. You can perform this configuration with one of three methods, depending on where and how the CA trust is configured.
8.1. Obtaining the CA certificate from Active Directory
Use the following example code to query Active Directory to obtain the CA certificate. The CA_NAME is the name of the certificate and the rest of the parameters can be changed according to your configuration:
CA_NAME="WIN2012DOM-WIN2012-CA" AD_SUFFIX="dc=win2012dom,dc=com" LDAPURL="ldap://win2012.win2012dom.com" ADMIN_DN="cn=Administrator,cn=Users,$AD_SUFFIX" ADMINPASSWORD="MyPassword" CA_CERT_DN="cn=latexmath:[$CA_NAME,cn=certification authorities,cn=public key services,cn=services,cn=configuration,$]AD_SUFFIX" TMP_CACERT=/tmp/cacert.`date +'%Y%m%d%H%M%S'`.$$.pem ldapsearch -xLLL -H latexmath:[$LDAPURL -D `echo \"$]ADMIN_DN"`-W -s base -b`echo "$CA_CERT_DN"` objectclass=* cACertificate
8.2. Converting the CA certificate into PEM format
Before you can configure LDAP in the Identity service (keystone), you must convert the CA certificate to PEM format.
Procedure
Create a file called /path/cacert.pem and include the contents of the LDAP query — that obtained the CA certificate from Active Directory, within the header and footer:
-----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB... -----END CERTIFICATE-----
For troubleshooting, you can execute the following query to check if LDAP is working, and to ensure that the PEM certificate file was created correctly.
LDAPTLS_CACERT=/path/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -s base -b "" "objectclass=*" currenttime
The query should return a result similar to:
dn: currentTime: 20141022050611.0Z
Run the following command to get a CA certificate if it was hosted by a web server.
- $HOST=redhat.com
$PORT=443
# echo Q | openssl s_client -connect $HOST:$PORT | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p'
8.3. Configuring secure LDAP communication for the Identity service
Use one of the following methods to configure LDAP for the Identity service (keystone).
Method 1
Use this method if the CA trust is configured at the LDAP level using a PEM file. Manually specify the location of a CA certificate file. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.
-
Copy the file containing your CA certificate chain in PEM format to the
/etc/openldap/certsdirectory. Edit
/etc/openldap/ldap.confand add the following directive, replacing [CA_FILE] with the location and name of the CA certificate file:TLS_CACERT /etc/openldap/certs/[CA_FILE]
Restart the horizon container:
# systemctl restart tripleo_horizon
Method 2
Use this method if the CA trust is configured at the LDAP library level using a Network Security Services (NSS) database. Use the certutil command to import and trust a CA certificate into the NSS certificate database used by the OpenLDAP libraries. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.
Import and trust the certificate, replacing [CA_FILE] with the location and name of the CA certificate file:
# certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE] # certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
Confirm the CA certificate was imported correctly:
# certutil -d /etc/openldap/certs -L
Your CA certificate is listed, and the trust attributes are set to CT,,.
Restart the horizon container:
# systemctl restart tripleo_horizon
Method 3
Use this method if the CA trust is configured at the Keystone level using a PEM file. The final method of securing communication between the Identity service and an LDAP server is to configure TLS for the Identity service.
However, unlike the two methods above, this method secures LDAP communication only for the Identity service and does not secure LDAP communication for other applications that use the OpenLDAP libraries. The following procedure uses the openstack-config command to edit values in the /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf file.
Enable TLS:
# openstack-config --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf ldap use_tls True
Specify the location of the certificate, replacing [CA_FILE] with the name of the CA certificate:
# openstack-config --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf ldap tls_cacertfile [CA_FILE]
Specify the client certificate checks performed on incoming TLS sessions from the LDAP server, replacing [CERT_BEHAVIOR] with one of the behaviors listed below:
- demand
- a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
- allow
- a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
- never
- a certificate will never be requested.
# openstack-config --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf ldap tls_req_cert [CERT_BEHAVIOR]
Restart the keystone and horizon containers:
# systemctl restart tripleo_keystone # systemctl restart tripleo_horizon
