OpenStack Active Directory / LDAP authentication

OpenStack (Grizzly) allows keystone to authenticate to different backends. The default backend is an SQL database, storing both user information (username/password) and also tenant information (which user belongs to which group). Although you can update this to a LDAP based backed, it would mean having to take care of tenant information in LDAP too (which means tedious things like creating new LDAP DC, which no self-respecting LDAP admin will let you do arbitrarily). But what if you just wants OpenStack to authenticate to a LDAP server, like Active Directory in an enterprise setting?

Luckily, keystone allows you to extend authentication easily. What the following patch does is to allow you to set up to 3 LDAP servers, which keystone will attempt to bind to using provided username / password when a user logs in. It can also fall back to use the user information in SQL if it fails to bind to LDAP servers by setting FALLBACK = True.

First of all, you need to create your own Identity backend with _check_password() function. Please check out ldapauth.py on my github. Put this file into keystone/identity/backends.

Next, you will need to update config.py to read some new configurations in your keystone.conf.

The full patch is in my github. https://github.com/waipeng/keystone/commit/8c18917558bebbded0f9c588f08a84b0ea33d9ae

After this, you can update keystone.conf to specify the LDAP servers that you want to authenticate with. Example:

[ldapauth]
server1_host = ldap://ldap1.example.com
server2_host = ldap://ldap2.example.com
server3_host = ldap://ldap3.example.com
server1_domain = DOMAIN1
server2_domain = DOMAIN2
server3_domain = DOMAIN3
fallback = True

Advertisements

7 thoughts on “OpenStack Active Directory / LDAP authentication

  1. Thanks for the patch. I am still having problem to integrate keystone to Active Directory. With this patch, I can at least get everyone authenticate against AD while I am working on getting the integration work. By the way, are you able to integrate keystone to Active Directory?

    • Can you give more details about what do you mean by “integrate”? Do you mean getting AD to take care of tenants too? There are a few documents out there for that, you will have to create more branches in your AD to store the tenant info.

      • https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD I also tried few others post from different people on how they integrate Keystone with AD but none of them are completed. I have already create few OUs ( Projects, Roles, and organizationalRole ). From the log, I can see login is ok but broken somewhere. Since I already have openstack up and running ( with packstack ). There are few system account ( admin, glance, nova … ) already exist. My understanding is I will need those accounts created in AD ( but none of the docs from the internet mention this ) but I can’t create those “generic” account in our AD. ( ie I need to change the account a bit , eg opstk_admin ). That means I will need to update different configuration ( and even mysql ). I am wondering if you have something working where I can reference, that will be awesome.

        thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s