2.8. Configuring OpenStack Identity domains on Controller nodes

To configure Controller nodes that run OpenStack Identity (keystone) to integrate with an external user management service, first configure SELinux to use LDAP authentication and create the domains directory on the Controller node. Then configure OpenStack Identity to use multiple back ends and the Dashboard to use multiple domains.

注記

If you are using director, note that the configuration files referenced in this procedure are managed by Puppet. Therefore, any custom configuration you add might be overwritten whenever you run the openstack overcloud deploy command.

Planning

If you intend to update any configuration files, you need to be aware that certain OpenStack services now run within containers; this applies to keystone, nova, and cinder, among others. As a result, there are certain administration practices to consider:

  • Do not update any configuration file you might find on the physical node’s host operating system, for example, /etc/cinder/cinder.conf. This is because the containerized service does not reference this file.
  • Do not update the configuration file running within the container. This is because any changes are lost once you restart the container.

    Instead, if you need to add any changes to containerized services, you will need to update the configuration file that is used to generate the container. These are stored within /var/lib/config-data/puppet-generated/

    For example:

    • keystone: /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
    • cinder: /var/lib/config-data/puppet-generated/cinder/etc/cinder/cinder.conf
    • nova: /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf

    Any changes will then be applied once you restart the service. For example: sudo systemctl restart tripleo_keystone

Procedure

Perform this procedure on each Controller node that runs the OpenStack Identity (keystone) service.

  1. Configure SELinux:

    # setsebool -P authlogin_nsswitch_use_ldap=on

    The output might include messages similar to this. They can be ignored:

    Full path required for exclude: net:[4026532245].
  2. Create the domains directory:

    # mkdir /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/
    # chown 42425:42425 /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/
  3. Configure keystone to use multiple back ends:

    注記

    You might need to install crudini using dnf install crudini.

    # crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf identity domain_specific_drivers_enabled true
    # crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf identity domain_config_dir /etc/keystone/domains
    # crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf assignment driver sql
  4. Enable multiple domains in dashboard. Add these lines to /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings:

    OPENSTACK_API_VERSIONS = {
        "identity": 3
    }
    OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
    OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
    注記

    If you are using director, note that /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings is managed by Puppet. Consequently, any custom configuration you add might be overwritten whenever you run the openstack overcloud deploy process. As a result, you might need to re-add this configuration manually each time.

    Restart the horizon container to apply the settings:

    $ sudo systemctl restart tripleo_horizon
  5. Create the keystone domain for the external service integration with the NetBIOS name value retrieved previously as the domain name. This approach allows you to present a consistent domain name to users during the login process. In this example, LAB is the NetBIOS name to use as the Identity Service domain.

    $ openstack domain create LAB
    注記

    If this command is not available, check that you have enabled keystone v3 for your command line session by running # source overcloudrc-v3.

  6. Create the configuration file for the external service that you are integrating:

    • Active Directory Domain Service (AD DS): Enter the LDAP settings in a new file called /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/keystone.LAB.conf (where LAB is the NetBIOS name retrieved previously). You will need to edit the sample settings below to suit your AD DS deployment:

      [ldap]
      url                  = ldaps://addc.lab.local:636
      user                  = CN=svc-ldap,OU=labUsers,DC=lab,DC=local
      password                 = RedactedComplexPassword
      suffix                   = DC=lab,DC=local
      user_tree_dn             = OU=labUsers,DC=lab,DC=local
      user_objectclass         = person
      user_filter                  = (|(memberOf=cn=grp-openstack,OU=labUsers,DC=lab,DC=local)(memberOf=cn=grp-openstack-admin,OU=labUsers,DC=lab,DC=local)(memberOf=memberOf=cn=grp-openstack-demo,OU=labUsers,DC=lab,DC=local))
      user_id_attribute        = sAMAccountName
      user_name_attribute      = sAMAccountName
      user_mail_attribute      = mail
      user_pass_attribute      =
      user_enabled_attribute   = userAccountControl
      user_enabled_mask        = 2
      user_enabled_default     = 512
      user_attribute_ignore    = password,tenant_id,tenants
      group_objectclass        = group
      group_tree_dn            = OU=labUsers,DC=lab,DC=local
      group_filter             = (CN=grp-openstack*)
      group_id_attribute       = cn
      group_name_attribute     = name
      use_tls                  = False
      tls_cacertfile                  =/etc/pki/ca-trust/source/anchors/anchorsaddc.lab.local.pem
      
      query_scope                  = sub
      chase_referrals                  = false
      
      [identity]
      driver = ldap

      Explanation of each setting:

      SettingDescription

      url

      The AD Domain Controller to use for authentication. Uses LDAPS port 636.

      user

      The Distinguished Name of an AD account to use for LDAP queries. For example, you can locate the Distinguished Name value of the svc-ldap account in AD using Get-ADuser svc-ldap | select DistinguishedName

      password

      The plaintext password of the AD account used above.

      suffix

      The Distinguished Name of your AD domain. You can locate this value using Get-ADDomain | select DistinguishedName

      user_tree_dn

      The Organizational Unit (OU) that contains the OpenStack accounts.

      user_objectclass

      Defines the type of LDAP user. For AD, use the person type.

      user_filter

      Filters the users presented to Identity Service. As a result, only members of the grp-openstack group can have permissions defined in Identity Service. This value requires the full Distinguished Name of the group: Get-ADGroup grp-openstack | select DistinguishedName

      user_id_attribute

      Maps the AD value to use for user IDs.

      user_name_attribute

      Maps the AD value to use for names.

      user_mail_attribute

      Maps the AD value to use for user email addresses.

      user_pass_attribute

      Leave this value blank.

      user_enabled_attribute

      The AD setting that validates whether the account is enabled.

      user_enabled_mask

      Defines the value to check to determine whether an account is enabled. Used when booleans are not returned.

      user_enabled_default

      The AD value that indicates that an account is enabled.

      user_attribute_ignore

      Defines user attributes that Identity Service should disregard.

      group_objectclass

      Maps the AD value to use for groups.

      group_tree_dn

      The Organizational Unit (OU) that contains the user groups.

      group_filter

      Filters the groups presented to Identity Service.

      group_id_attribute

      Maps the AD value to use for group IDs.

      group_name_attribute

      Maps the AD value to use for group names.

      use_tls

      Defines whether TLS is to be used. This needs to be disabled if you are encrypting with LDAPS rather than STARTTLS.

      tls_cacertfile

      Specifies the path to the .crt certificate file.

      query_scope

      Configures Identity Service to also search within nested child OUs, when locating users that are members of the grp-openstack group.

      chase_referrals

      Set to false, this setting prevents python-ldap from chasing all referrals with anonymous access.

    • Red Hat Identity Manager (IdM): Enter the LDAP settings in a new file called /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/keystone.LAB.conf (where LAB is the domain name created previously). You will need to edit the sample settings below to suit your IdM deployment:

      [ldap]
      url =  ldaps://idm.lab.local
      user = uid=svc-ldap,cn=users,cn=accounts,dc=lab,dc=local
      user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=lab,dc=local)
      password = RedactedComplexPassword
      user_tree_dn = cn=users,cn=accounts,dc=lab,dc=local
      user_objectclass = inetUser
      user_id_attribute = uid
      user_name_attribute = uid
      user_mail_attribute = mail
      user_pass_attribute =
      group_tree_dn               = cn=groups,cn=accounts,dc=lab,dc=local
      group_objectclass              = groupOfNames
      group_id_attribute            = cn
      group_name_attribute       =  cn
      group_member_attribute  = member
      group_desc_attribute        = description
      use_tls                  = False
      query_scope                  = sub
      chase_referrals                  = false
      tls_cacertfile =/etc/pki/ca-trust/source/anchors/anchorsca.crt
      
      [identity]
      driver = ldap

      Explanation of each setting:

      SettingDescription

      url

      The IdM server to use for authentication. Uses LDAPS port 636.

      user

      The account in IdM to use for LDAP queries.

      password

      The plaintext password of the IdM account used above.

      user_filter

      Filters the users presented to Identity Service. As a result, only members of the grp-openstack group can have permissions defined in Identity Service.

      user_tree_dn

      The path to the OpenStack accounts in IdM.

      user_objectclass

      Defines the type of LDAP user. For IdM, use the inetUser type.

      user_id_attribute

      Maps the IdM value to use for user IDs.

      user_name_attribute

      Maps the IdM value to use for names.

      user_mail_attribute

      Maps the IdM value to use for user email addresses.

      user_pass_attribute

      Leave this value blank.

      注記

      Integration with an IdM group will only return direct members, and not nested groups. As a result, queries that rely on LDAP_MATCHING_RULE_IN_CHAIN or memberof:1.2.840.113556.1.4.1941: will not currently work with IdM.

  7. Change ownership of the configuration file to the keystone user:

    # chown 42425:42425 /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/keystone.LAB.conf
  8. Restart the keystone service to apply the changes:

    # sudo systemctl restart tripleo_keystone