Read Only LDAP in Keystone

Organizational data is held in publicly accessible directories accessed via the Lightweight Directory Access Protocol(LDAP).  In general, the end applications have the ability to query via  LDAP, but not update it.  Up until Grizzly the OpenStack Identity management Service, Keystone, has required write access to the backing store if you wanted to be able to manage authorization from within OpenStack.  This mismatch has been addressed in Havana

Getting to the point where we could vary LDAP data from the rest of the data that Keystone managed required a few new abstractions.  The most important one happened in the Grizzly release:  the ability to group users.  Once we had groups, we had a natural place to split between what Keystone should manage directly and what Keystone should only consume.

In Havana, several of the entities previously managed via the Identity backend have been split off into a new backend called Assignments.  The Assignments driver now manages:

  • Projects (also previously referred to as Tenants)
  • Roles
  • Role Assignments
  • Domains

The Identity driver still manages:

  • Users
  • Groups
  • Group Assignments

The default drivers for Identity and for Assignments  is SQL.  If you were using SQL in the past to manage Identity, you will see no difference.

Now, we didn’t want to go and break all of the existing LDAP deployments out there, so there is a little bit of configuration magic involved.  If the Identity driver is specified to be LDAP and no Assignments driver is specified, Keystone assume that the system was previously all in LDAP, and will use the LDAP driver for Assignments.

If you want to have Identity served out of LDAP but Assignments served out of SQL, you must have the following keystone.conf options set.

driver = keystone.identity.backends.ldap.Identity

driver = keystone.assignment.backends.sql.Assignment

The existing LDAP configuration documentation is still valid when identity is in LDAP and assignments are in SQL. The LDAP config values for entities in the assignment backend such as projects, and roles will be ignored.

In Havana, Keystone only supports a single LDAP server. There is an effort underway to support multiple, but that will have to wait until Icehouse.

One thought on “Read Only LDAP in Keystone

  1. If keystone support multiple LDAP servers, could you please explain how they work? Does each LDAP server work separately for different domain or group or others?

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>