Chapter 2. Configuring Red Hat Identity management

You can configure Red Hat OpenStack Platform with federated user management with the following features:

  • Red Hat Identity Management (IdM) is external to Red Hat OpenStack Platform
  • Red Hat IdM is the source of all user and group information
  • Red Hat Single Signon (RH-SSO) is configured to use Red Hat IdM for user Federation

2.1. Creating the IdM service account for RH-SSO

If you use anonomous binds, some information that is essential for Red Hat Single Sign-On (RH-SSO) is withheld for security reasons. As a result, you need provide the appropriate privileges for RH-SSO in the forma a dedicated account to query the IdM LDAP server for this information:

LDAP_URL="ldaps://$FED_IPA_HOST"
DIR_MGR_DN="cn=Directory Manager"
SERVICE_NAME="rhsso"
SERVICE_DN="uid=$service_name,cn=sysaccounts,cn=etc,$FED_IPA_BASE_DN"

$ ldapmodify -H "${LDAP_URL}" -x -D "${DIR_MGR_DN}" -w <_FED_IPA_ADMIN_PASSWD_> <<EOF
dn: ${SERVICE_DN}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: ${SERVICE_NAME}
userPassword: <_FED_IPA_RHSSO_SERVICE_PASSWD_>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
EOF
Note

You can use the configure-federation script to perform the above step: $ ./configure-federation create-ipa-service-account

2.2. Creating a test user

Create a user account in IdM for testing:

Procedure

  1. Create a user jdoe in IdM:

    $ipa user-add --first John --last Doe --email jdoe@example.com jdoe
  2. Assign a password to the user:

    $ipa passwd jdoe

2.3. Creating an IdM group for OpenStack users

You must have an IdM group openstack-users to map to the Keystone group federated_users. Map the test user to this group.

Create the openstack-users group in Red Hat Identity Management (IdM):

Procedure

  1. Ensure that the openstack-users group does not exist:

    $ ipa group-show openstack-users
    ipa: ERROR: openstack-users: group not found
  2. Add the openstack-users group to IdM:

    ipa group-add openstack-users
  3. Add the test users to the openstack-users group:

    ipa group-add-member --users jdoe openstack-users
  4. Verify that the openstack-users group exists and has the test user as a member:

    $ ipa group-show openstack-users
      Group name: openstack-users
      GID: 331400001
      Member users: jdoe