OpenStack Identity (keystone)

Document the LDAP Identity Driver

Bug #949521 reported by Adam Young on 2012-03-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Critical	Adam Young	OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

Document how to set up Keystone to use the LDAP identity provider

See original description

Revision history for this message

Adam Young (ayoung) wrote on 2012-03-08:

Configuring the LDAP Identity Provider
===========================================================

Keystone can Use a Directory server to provide the Identity service. An example Schema
for openstack would look like this::

  dn: cn=openstack,cn=org
  dc: openstack
  objectClass: dcObject
  objectClass: organizationalUnit
  ou: openstack

  dn: ou=Groups,cn=openstack,cn=org
  objectClass: top
  objectClass: organizationalUnit
  ou: groups

  dn: ou=Users,cn=openstack,cn=org
  objectClass: top
  objectClass: organizationalUnit
  ou: users

  dn: ou=Roles,cn=openstack,cn=org
  objectClass: top
  objectClass: organizationalUnit
  ou: users

The corresponding entries in the configuration file are::

  [ldap]
  url = ldap://localhost
  suffix = dc=openstack,dc=org
  user = dc=Manager,dc=openstack,dc=org
  password = badpassword

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Joseph Heck (heckj) on 2012-03-08

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Critical
milestone:	none → essex-rc1

Adam Young (ayoung) on 2012-03-12

description:

updated

Joseph Heck (heckj) on 2012-03-13

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

Anne Gentle (annegentle) wrote on 2012-03-13:

A couple of questions:

Does the [ldap] section go into the keystone.conf file?

What are the basic requirements on the LDAP side?

Revision history for this message

Adam Young (ayoung) wrote on 2012-03-14:

There are many variations on LDAP, so I tried to keep the documentation as Neutral as possible. Assuming a development setup for OpenLDAP has worked in the past, but should probably not be documented in the application itself, but rather on the Keystone or Openstack sites.

Yes, the [ldap] section goes in the keystone.conf file. I have updated to specify that.

On the LDAP side, the user would need to ldapadd a schema as described by the first comment in the ticket. I is pretty straight forward, and should be understandable by anyone comfortable with LDAP.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-14: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/5237
Committed: http://github.com/openstack/keystone/commit/5b3e05bbabd5366461630327e4498fe582ff8ab7
Submitter: Jenkins
Branch: master

commit 5b3e05bbabd5366461630327e4498fe582ff8ab7
Author: Adam Young <email address hidden>
Date: Wed Mar 7 16:04:32 2012 -0500

added LDAP section to architecture and architecture

https://bugs.launchpad.net/keystone/+bug/949521

Bug 949521

Change-Id: I2e37c0d946e3d97a2c4bc4bf4a50bd94466f70c2

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

Adam Young (ayoung) wrote on 2012-03-14:

LDAP setup document started here

http://www.debuntu.org/ldap-server-and-linux-ldap-clients

Thierry Carrez (ttx) on 2012-03-23

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in keystone:
milestone:	essex-rc1 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.