- OpenStack Cloud Computing Cookbook(Third Edition)
- Kevin Jackson Cody Bunch Egle Sigler
- 596字
- 2021-07-16 20:39:14
Configuring OpenStack Identity for LDAP Integration
The OpenStack Identity service that we have built so far provides you with a functional, but isolated, set up for your OpenStack environment. This is a useful setup for Proof of Concept and lab environments. However, it is likely that you will need to integrate OpenStack with your existing authentication system. OpenStack Identity provides a pluggable authentication back end for this, with LDAP being the most widely used.
Getting ready
We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.
Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:
export OS_TENANT_NAME=cookbook export OS_USERNAME=admin export OS_PASSWORD=openstack export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/ export OS_NO_CACHE=1 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem
Tip
You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:
vagrant ssh controller
Additionally, to connect to an external LDAP service, you will need to possess the hostname or IP address of the LDAP server and have appropriate access to the server. You will also need to have the LDAP path information for an admin user, and for the Organizational Units that contain the Users, Roles, and Tenants.
Note
We have provided a sample OpenLDAP server that is prepopulated with the required values as part of this book's supplementary materials, and instructions on how to use it located on our book blog at http://bit.ly/OpenStackCookbookLDAP
How to do it...
To configure OpenStack Identity to communicate with LDAP, perform the following steps:
- Using your favorite editor, enable LDAP authentication in the
keystone.conffile:[identity] driver=keystone.identity.backends.ldap.Identity
- Next, create the
ldapsection and add the URL to your existing LDAP server:[ldap] url = ldap://openldap
- On the following lines, specify the LDAP path for the
adminuser you will use, along with its password and the suffix, or where you would like Keystone to begin searching LDAP:user = cn=admin,dc=cook,dc=book password = openstack suffix = cn=cook,cn=book
- In the same
[ldap]section, we tell Keystone four pieces of information about how to find users.user_tree_dnspecifies which OU within the LDAP tree to search for users.user_objectclassspecifies how a user is represented within LDAP. user_id_attributetells Keystone which property of the user to use as a username. Similarly,user_mail_attributetells Keystone where to find the user's e-mail address. The code is as follows:user_tree_dn = ou=Users,dc=cook,dc=book user_objectclass = inetOrgPerson user_id_attribute = cn user_mail_attribute = mail
- Next, add the same details for Tenants and Roles:
tenant_tree_dn = ou=Projects,dc=cook,dc=book tenant_objectclass = groupOfNames tenant_id_attribute = cn tenant_desc_attribute = description role_tree_dn = ou=Roles,dc=cook,dc=book role_objectclass = organizationalRole role_id_attribute = cn role_member_attribute = roleOccupant
- Save the file and restart
keystone:sudo stop keystone sudo start keystone
How it works...
The OpenStack Identity service, like other OpenStack services, is based on plugins. In its default state, Keystone will store and access all user identity and authentication data from a SQL database. However, when integrating OpenStack into an existing environment, this is not always the most desirable or secure method. To accommodate this, we changed the identity back end to LDAP. This allows for integration with OpenLDAP, Active Directory, and many others. However, when configuring the backend, you need to pay special attention to the LDAP paths.
- PostgreSQL技術內幕:事務處理深度探索
- Python神經網絡項目實戰
- Mastering Swift 2
- 微信小程序開發解析
- OpenResty完全開發指南:構建百萬級別并發的Web應用
- 精通MySQL 8(視頻教學版)
- Hadoop 2.X HDFS源碼剖析
- JavaScript+jQuery網頁特效設計任務驅動教程
- 程序員的成長課
- Java EE實用教程
- 第五空間戰略:大國間的網絡博弈
- 編程風格:程序設計與系統構建的藝術(原書第2版)
- Testing Practitioner Handbook
- Learning Ext JS(Fourth Edition)
- Programming MapReduce with Scalding