OpenStack Active Directory / LDAP authentication

OpenStack (Grizzly) allows keystone to authenticate to different backends. The default backend is an SQL database, storing both user information (username/password) and also tenant information (which user belongs to which group). Although you can update this to a LDAP based backed, it would mean having to take care of tenant information in LDAP too (which means tedious things like creating new LDAP DC, which no self-respecting LDAP admin will let you do arbitrarily). But what if you just wants OpenStack to authenticate to a LDAP server, like Active Directory in an enterprise setting?

Luckily, keystone allows you to extend authentication easily. What the following patch does is to allow you to set up to 3 LDAP servers, which keystone will attempt to bind to using provided username / password when a user logs in. It can also fall back to use the user information in SQL if it fails to bind to LDAP servers by setting FALLBACK = True.

First of all, you need to create your own Identity backend with _check_password() function. Please check out on my github. Put this file into keystone/identity/backends.

Next, you will need to update to read some new configurations in your keystone.conf.

The full patch is in my github.

After this, you can update keystone.conf to specify the LDAP servers that you want to authenticate with. Example:

server1_host = ldap://
server2_host = ldap://
server3_host = ldap://
server1_domain = DOMAIN1
server2_domain = DOMAIN2
server3_domain = DOMAIN3
fallback = True


7 thoughts on “OpenStack Active Directory / LDAP authentication

  1. Thanks for the patch. I am still having problem to integrate keystone to Active Directory. With this patch, I can at least get everyone authenticate against AD while I am working on getting the integration work. By the way, are you able to integrate keystone to Active Directory?

    • Can you give more details about what do you mean by “integrate”? Do you mean getting AD to take care of tenants too? There are a few documents out there for that, you will have to create more branches in your AD to store the tenant info.

      • I also tried few others post from different people on how they integrate Keystone with AD but none of them are completed. I have already create few OUs ( Projects, Roles, and organizationalRole ). From the log, I can see login is ok but broken somewhere. Since I already have openstack up and running ( with packstack ). There are few system account ( admin, glance, nova … ) already exist. My understanding is I will need those accounts created in AD ( but none of the docs from the internet mention this ) but I can’t create those “generic” account in our AD. ( ie I need to change the account a bit , eg opstk_admin ). That means I will need to update different configuration ( and even mysql ). I am wondering if you have something working where I can reference, that will be awesome.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s