If you would like to use LDAP to authenticate against Keystone in order to use your existing user directory, you'll need a few important points for our team to implement it.
Inside OpenStack, the Keystone Service has a built-in backend where you can maintain users, groups and roles. The default backend stores all that data in a simple database which is the default for all deployments. It is possible to setup a domain within Keystone to identify using your LDAP server, however, that requires a few configuration items from your team in order to successfully implement it.
-
Server hostname(s): You will need to provide the hostnames of your LDAP servers, you may also provide multiple servers for redundancy as well.
-
Username & Password: Account information that can login to the LDAP server to do lookups (example: dc=Manager,dc=example,dc=org and password)
-
Suffix: distinguished name which will be added to end of all lookups to limit scope (example: dc=example,dc=org)
-
User & group tree distinguished name: Identifier where the user and group tree lives (example: ou=Users,dc=example,dc=org and ou=Groups,dc=example,dc=org)
-
User & group object classes: (example: inetOrgPerson and groupOfNames)
Once our team has that information, we will be able to implement LDAP authentication for a domain name inside the identity server. You'll be able to manage role assignments directly via Keystone using the API and dashboard for all the users and groups.
Comments
0 comments
Article is closed for comments.