I got keystone in my Bifrost install to talk via LDAP to our Freeipa server. Here’s what I had to do.
I started with a new install of bifrost, using Keystone and TLS.
./bifrost-cli install --enable-keystone --enable-tls --network-interface enP4p4s0f0np0 --dhcp-pool 192.168.116.25-192.168.116.75 |
After making sure that Keystone could work for normal things;
source /opt/stack/bifrost/bin/activate export OS_CLOUD=bifrost-admin openstack user list -f yaml - ID: 1751a5bb8b4a4f0188069f8cb4f8e333 Name: admin - ID: 5942330b4f2c4822a9f2cdf45ad755ed Name: ironic - ID: 43e30ad5bf0349b7b351ca2e86fd1628 Name: ironic_inspector - ID: 0c490e9d44204cc18ec1e507f2a07f83 Name: bifrost_user |
I had to install python3-ldap and python3-ldappool .
sudo apt install python3-ldap python3-ldappool |
Now create a domain for the LDAP data.
openstack domain create freeipa ... openstack domain show freeipa -f yaml description: '' enabled: true id: 422608e5c8d8428cb022792b459d30bf name: freeipa options: {} tags: [] |
Edit /etc/keystone/keystone.conf to support domin specific backends and back them with file config. When you are done, your identity section should look like this.
[identity] domain_specific_drivers_enabled=true domain_config_dir=/etc/keystone/domains driver = sql |
Create the corresponding directory for the new configuration files.
sudo mkdir /etc/keystone/domains/ |
Add in a configuration file for your LDAP server. Since I called my domain freeipa I have to name the config file /etc/keystone/domains/keystone.freeipa.conf
[identity] driver = ldap [ldap] url = ldap://den-admin-01 user_tree_dn = cn=users,cn=accounts,dc=younglogic,dc=com user_objectclass = person user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_allow_create = false user_allow_update = false user_allow_delete = false group_tree_dn = cn=groups,cn=accounts,dc=younglogic,dc=com group_objectclass = groupOfNames group_id_attribute = cn group_name_attribute = cn group_member_attribute = member group_desc_attribute = description group_allow_create = false group_allow_update = false group_allow_delete = false user_enabled_attribute = nsAccountLock user_enabled_default = False user_enabled_invert = true |
To make changes, to restart sudo systemctl restart uwsgi@keystone-public
sudo systemctl restart uwsgi@keystone-public |
And test that it worked
openstack user list -f yaml --domain freeipa - ID: b3054e3942f06016f8b9669b068e81fd2950b08c46ccb48032c6c67053e03767 Name: renee - ID: d30e7bc818d2f633439d982783a2d145e324e3187c0e67f71d80fbab065d096a Name: ann |
This same approach can work if you need to add more than one LDAP server to your Keystone deployment.