keystone ldap #39

Description

Keystone v3 deployments support the use of domain specific identity drivers, allowing different types of authentication backend to be deployed in a single Keystone deployment. . This charm supports use of LDAP or Active Directory domain backends, with configuration details provided by charm configuration options.


Overview

This subordinate charm provides a LDAP domain backend for integrating a
Keystone v3 deployment with an external LDAP based authentication system.

Usage

Use this charm with the Keystone charm, running with preferred-api-version=3:

juju deploy keystone
juju config keystone preferred-api-version=3
juju deploy keystone-ldap
juju add-relation keystone-ldap keystone

Configuration Options

LDAP configuration is provided to this charm via configuration options:

juju config keystone-ldap ldap-server="ldap://10.10.10.10/" \
            ldap-user="cn=admin,dc=test,dc=com" \
            ldap-password="password" \
            ldap-suffix="dc=test,dc=com"

By default, the name of the application ('keystone-ldap') is the name of
the domain for which a domain specific configuration will be configured;
you can change this using the domain-name option:

juju config keystone-ldap domain-name="myorganisationname"

The keystone charm will automatically create a domain to support the backend
once deployed.

LDAP configurations can be quite complex. The ldap-config-flags configuration
option provides the mechanism to pass arbitrary configuration options to
keystone in order to handle any given LDAP backend's specific requirements.

For very simple LDAP configurations a string of comma delimited key=value pairs
can be used:

juju config keystone-ldap \
    ldap-config-flags="user_id_attribute=cn,user_name_attribute=cn"

For more complex configurations such as working with Active Directory use
a configuration yaml file.

juju config keystone-ldap --file flags-config.yaml

Where flags-config.yaml has the contents similar to the following. The
ldap-config-flags value uses a json like string for the key value pairs:

keystone-ldap:
ldap-config-flags: "{
user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)',
query_scope: sub,
user_objectclass: person,
user_name_attribute: sAMAccountName,
user_id_attribute: sAMAccountName,
user_mail_attribute: mail,
user_enabled_attribute: userAccountControl,
user_enabled_mask: 2,
user_enabled_default: 512,
user_attribute_ignore: 'password,tenant_id,tenants',
user_allow_create: False,
user_allow_update: False,
user_allow_delete: False,
}"

Note: The double quotes and braces around the whole string. And single quotes
around the individual complex values.

Bugs

Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.

Configuration

verbose
(boolean) Enable verbose logging
ldap-user
(string) Username (Distinguished Name) used to bind to LDAP identity server. . Example: cn=admin,dc=test,dc=com
ldap-server
(string) LDAP server URL for keystone LDAP identity backend. Examples: ldap://10.10.10.10/ ldaps://10.10.10.10/ ldap://example.com:389,ldaps://ldaps.example.com:636 Usage of ldap:// urls with tls_ca_ldap option specified or certificates relation presence will result in mandatory StartTLS usage.
ldap-password
(string) Password of the LDAP identity server.
domain-name
(string) Name of the keystone domain to configure; defaults to the deployed application name.
ldap-suffix
(string) LDAP server suffix to be used by keystone.
ldap-config-flags
(string) Additional LDAP configuration options. For simple configurations use a comma separated string of key=value pairs. "user_allow_create=False, user_allow_update=False, user_allow_delete=False" For more complex configurations use a json like string with double quotes and braces around all the options and single quotes around complex values. "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_allow_create: False, user_allow_delete: False}" See the README for more details.
use-internal-endpoints
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
debug
(boolean) Enable debug logging
ldap-readonly
(boolean) LDAP identity server backend readonly to keystone.
True
tls-ca-ldap
(string) This option controls which certificate (or a chain) will be used to connect to an ldap server(s) over TLS. Certificate contents should be either used directly or included via include-file:// An LDAP url should also be considered as ldaps and StartTLS are both valid methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which, of course, still requires a CA certificate.
use-syslog
(boolean) Setting this to True will allow supporting services to log to syslog.