OpenStack Active Directory / LDAP authentication

OpenStack (Grizzly) allows keystone to authenticate to different backends. The default backend is an SQL database, storing both user information (username/password) and also tenant information (which user belongs to which group). Although you can update this to a LDAP based backed, it would mean having to take care of tenant information in LDAP too (which means tedious things like creating new LDAP DC, which no self-respecting LDAP admin will let you do arbitrarily). But what if you just wants OpenStack to authenticate to a LDAP server, like Active Directory in an enterprise setting?

Luckily, keystone allows you to extend authentication easily. What the following patch does is to allow you to set up to 3 LDAP servers, which keystone will attempt to bind to using provided username / password when a user logs in. It can also fall back to use the user information in SQL if it fails to bind to LDAP servers by setting FALLBACK = True.

First of all, you need to create your own Identity backend with _check_password() function. Please check out ldapauth.py on my github. Put this file into keystone/identity/backends.

Next, you will need to update config.py to read some new configurations in your keystone.conf.

The full patch is in my github. https://github.com/waipeng/keystone/commit/8c18917558bebbded0f9c588f08a84b0ea33d9ae

After this, you can update keystone.conf to specify the LDAP servers that you want to authenticate with. Example:

[ldapauth]
server1_host = ldap://ldap1.example.com
server2_host = ldap://ldap2.example.com
server3_host = ldap://ldap3.example.com
server1_domain = DOMAIN1
server2_domain = DOMAIN2
server3_domain = DOMAIN3
fallback = True

Advertisements