How to integrate Keystone packstack with AD ?

In this article, I am going to show the integration of keystone with active directory. In case of packstack, by default keystone is running under apache, I have written article on this before. I am going to use the same setup to configure keystone with AD.

I have referred Red Hat article to configure keystone with AD. In that article, steps suggested are for running keystone without httpd, but there is not much difference in steps. You just need to restart the apache service instead of keystone to bring the changes into reflect.

Step 1 : I have configured Windows AD setup which is very easy, after installation just run the “dcpromo.exe” command to configure the AD.

Step 2 : After configuring the AD, as suggested in Red  Hat article, I have created user and group using Windows Power CLI. If you are facing issue while setting the password use the GUI that will be much easier.

Step 3 : Time to make the changes on openstack side.

Again followed the steps for v3 api, glance and keystone provided in article, just restart the httpd service in place of keystone.

Step 4 : Below is my domain keystone configuration file. Note : I am not using any certificate hence I modified some of the options in file like port number from 636 to 389 and ldaps to ldap.

[root@allinone domains(keystone_admin)]# cat /etc/keystone/domains/keystone.ganesh.conf
[ldap]
url =  ldap://192.168.122.133:389
user = CN=svc-ldap,CN=Users,DC=ganesh,DC=com
password                 = User@123
suffix                   = DC=ganesh,DC=com
user_tree_dn             = CN=Users,DC=ganesh,DC=com
user_objectclass         = person
user_filter = (memberOf=cn=grp-openstack,CN=Users,DC=ganesh,DC=com)
user_id_attribute        = cn
user_name_attribute      = cn
user_mail_attribute      = mail
user_pass_attribute      =
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    = password,tenant_id,tenants
user_allow_create        = False
user_allow_update        = False
user_allow_delete        = False

[identity]
driver = keystone.identity.backends.ldap.Identity

Step 5 : Restart the httpd service and create a domain matching the NetBIOS name of AD in my case it’s GANESH.

Step 6 : Verify that you are able to list the users present in domain.

[root@allinone domains(keystone_admin)]# openstack user list –domain GANESH
+——————————————————————+———-+
| ID                                                               | Name     |
+——————————————————————+———-+
| a557f06c03960d3b3de7d670774c1c329efe9f33e17c5aa894f0207ec78766e6 | svc-ldap |
+——————————————————————+———-+

Step 7 : I created one test user in AD “user1” and then again issued the command in openstack setup, and I can see that new user is showing in below output.

[root@allinone domains(keystone_admin)]# openstack user list –domain GANESH
+——————————————————————+———-+
| ID                                                               | Name     |
+——————————————————————+———-+
| a557f06c03960d3b3de7d670774c1c329efe9f33e17c5aa894f0207ec78766e6 | svc-ldap |
| f71c9fb8479994f287978a2b25f5796a80871b472de07bdee7794806e0902d7e | user1    |
+——————————————————————+———-+

Just in case, if someone is curious about the calls which are going to ldap server from packstack setup.

Below calls can be seen in tcpdump while collecting tcpdump in background

[root@allinone domains(keystone_admin)]# openstack user list –domain GANESH

tshark -tad -n -r /tmp/ldap.pcap -Y ldap
Running as user “root” and group “root”. This could be dangerous.
6 2016-03-13 04:25:45 192.168.122.50 -> 192.168.122.133 LDAP 125 bindRequest(1) “CN=svc-ldap,CN=Users,DC=ganesh,DC=com” simple
7 2016-03-13 04:25:45 192.168.122.133 -> 192.168.122.50 LDAP 88 bindResponse(1) success
9 2016-03-13 04:25:45 192.168.122.50 -> 192.168.122.133 LDAP 232 searchRequest(2) “CN=Users,DC=ganesh,DC=com” singleLevel
10 2016-03-13 04:25:45 192.168.122.133 -> 192.168.122.50 LDAP 332 searchResEntry(2) “CN=svc-ldap,CN=Users,DC=ganesh,DC=com”  | searchResEntry(2) “CN=user1,CN=Users,DC=ganesh,DC=com”  | searchResDone(2) success  [2 results]
11 2016-03-13 04:25:45 192.168.122.50 -> 192.168.122.133 LDAP 73 unbindRequest(3)

Step 8 : Listing all the present domains, roles and adding the user to project add assigning role to it.

[root@allinone domains(keystone_admin)]# openstack domain list
+———————————-+———+———+———————————————————————-+
| ID                               | Name    | Enabled | Description                                                          |
+———————————-+———+———+———————————————————————-+
| d313e92c985b456295c254e827bbbd1b | GANESH  | True    |                                                                      |
| db1b4320ec764bdfb45106cdeadc754c | heat    | True    | Contains users and projects created by heat                          |
| default                          | Default | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
+———————————-+———+———+———————————————————————-+

[root@allinone domains(keystone_admin)]# openstack role list
+———————————-+——————+
| ID                               | Name             |
+———————————-+——————+
| 5ca3a634c2b649dd9e2033509fb561cc | heat_stack_user  |
| 65f8c50174af4818997d94f0bfeb5183 | ResellerAdmin    |
| 68a199b73276438a8466f51a03cd2980 | admin            |
| 8c574229aa654937a5a53d3ced333c08 | heat_stack_owner |
| 9a408ea418884fee94e10bfc8019a6f3 | SwiftOperator    |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_         |
+———————————-+——————+

[root@allinone domains(keystone_admin)]# openstack role add –project demo –user f71c9fb8479994f287978a2b25f5796a80871b472de07bdee7794806e0902d7e _member_

 

 

Reference :

I found very good information about comparison of keystone v2 and keystone v3.

[1] http://www.madorn.com/keystone-v3-api.html#.VuUiC5SbRIt

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s