keystone ldap #6


Keystone v3 deployments support the use of domain specific identity drivers, allowing different types of authentication backend to be deployed in a single Keystone deployment. . This charm supports use of LDAP or Active Directory domain backends, with configuration details provided by charm configuration options.


This subordinate charm provides a LDAP domain backend for integrating a
Keystone v3 deployment with an external LDAP based authentication system.


Use this charm with the Keystone charm, running with preferred-api-version=3:

juju deploy keystone
juju config keystone preferred-api-version=3
juju deploy keystone-ldap
juju add-relation keystone-ldap keystone

Configuration Options

LDAP configuration is provided to this charm via configuration options:

juju config keystone-ldap ldap-server="ldap://" \
            ldap-user="cn=admin,dc=test,dc=com" \
            ldap-password="password" \

By default, the name of the application ('keystone-ldap') is the name of
the domain for which a domain specific configuration will be configured;
you can change this using the domain-name option:

juju config keystone-ldap domain-name="myorganisationname"

The keystone charm will automatically create a domain to support the backend
once deployed.

LDAP configurations can be quite complex. The ldap-config-flags configuration
option provides the mechanism to pass arbitrary configuration options to
keystone in order to handle any given LDAP backend's specific requirements.

For very simple LDAP configurations a string of comma delimited key=value pairs
can be used:

juju config keystone-ldap \

For more complex configurations such as working with Active Directory use
a configuration yaml file.

juju config keystone-ldap --file flags-config.yaml

Where flags-config.yaml has the contents similar to the following. The
ldap-config-flags value uses a json like string for the key value pairs:

ldap-config-flags: "{
user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)',
query_scope: sub,
user_objectclass: person,
user_name_attribute: sAMAccountName,
user_id_attribute: sAMAccountName,
user_mail_attribute: mail,
user_enabled_attribute: userAccountControl,
user_enabled_mask: 2,
user_enabled_default: 512,
user_attribute_ignore: 'password,tenant_id,tenants',
user_allow_create: False,
user_allow_update: False,
user_allow_delete: False,

Note: The double quotes and braces around the whole string. And single quotes
around the individual complex values.


Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.


(boolean) Enable verbose logging
(string) Username (Distinguished Name) used to bind to LDAP identity server. . Example: cn=admin,dc=test,dc=com
(string) LDAP server URL for keystone identity backend. . Example: ldap://
(string) Password of the LDAP identity server.
(string) Name of the keystone domain to configure; defaults to the deployed application name.
(string) LDAP server suffix to be used by keystone.
(string) Additional LDAP configuration options. For simple configurations use a comma separated string of key=value pairs. "user_allow_create=False, user_allow_update=False, user_allow_delete=False" For more complex configurations use a json like string with double quotes and braces around all the options and single quotes around complex values. "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_allow_create: False, user_allow_delete: False}" See the README for more details.
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
(boolean) Enable debug logging
(boolean) LDAP identity server backend readonly to keystone.
(boolean) Setting this to True will allow supporting services to log to syslog.