Openstack Keystone集成AD/LDAP

Keystone集成AD/LDAP,除了需要在keystone.conf配置文件中启用LDAP相关的配置,还需要在AD/LDAP中初始化keystone相关的project、role、user信息。

AD上配置

创建相关的OU

创建OU=Openstack,并在Openstack下创建以下OU

OU=Openstack下创建相关的CN

OU=Users

需要创建openstack系统相关的用户

  • 查询openstack相关用户
1
2
3
4
5
6
7
8
9
10
11
[root@control01 ~]# openstack user list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| 003744cda86a4458b15881248943bdbf | glance |
| 1b0ae84d259a4dc4b10d441964e99384 | neutron |
| 2b88338508204edd9de064394325c133 | admin |
| 34aa85ab65ca4f2bb5675bff6f5e6e6b | nova |
| a364b825a8424e7895bc6dec2bd17e31 | placement |
| c94ac5456a114e01ac9ee5aa490b8cb5 | cinder |
+----------------------------------+-----------+
  • 根据用户ID在AD上创建相关用户

    用户的姓名必须填写对应的用户ID,且密码也必须一致,并勾选密码永不过期


  • 创建普通的openstack用户用于作为member角色授权

OU=Projects > OU=admin

admin role身份授权

1
2
organizationalRole: admin
更多属性-roleOccupant: 填写admin用户对应的DN值
1
2
groupOfName: adminUsers
member: 填写admin用户对于的DN值

OU=Projects > OU=Tenants

member role身份授权

1
2
organizationRole: Member
更多属性-roleOccupant: 填写openstack用户对于的DN值
1
2
groupOfName: openstackUsers
member: 填写openstack用户对于的DN值

OU=Projects > OU=service

1
2
organizationalRole: admin
groupOfName: servicesUsers

OU=Openstack > OU=Roles

1
2
organizationalRole: admin
更多属性-roleOccupant: 填写admin用户对于的DN值
1
organizationalRole: Membe

集成相关的OpenStack服务

将glance,nova,neutron,cinder,placement服务用户的DN

  • 加入到OU=OpenStack,OU=Roles,CN=admin里面的roleOccupant属性
  • 加入到OU=OpenStack,OU=Projects,OU=services,CN=admin里面的roleOccupant属性
  • 加入到OU=OpenStack,OU=Projects,OU=services,CN=servicesUsers里面的member属性

keystone上配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[identity]
driver = ldap

[ldap]
url = ldap://192.168.1.20
user = CN=xxx,OU=Users,OU=Openstack,OU=yyy,DC=zzz,DC=com
password = Yealink@1105
suffix = DC=zzz,DC=com
use_dumb_member = True
dumb_member = CN=Openstack,OU=yyy,DC=zzz,DC=com
allow_subtree_delete = False
query_scope = sub

debug_level = 4095

user_tree_dn = OU=yyy,DC=zzz,DC=com
user_objectclass = organizationalPerson
user_id_attribute = mail
user_name_attribute = sAMAccountName
user_mail_attribute = mail
user_description_attribute = cn
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_tree_dn = ou=Projects,OU=Openstack,OU=yyy,DC=zzz,DC=com
tenant_objectclass = organizationalUnit
tenant_id_attribute = ou
tenant_member_attribute = Member
tenant_name_attribute = ou
tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_tree_dn = ou=Roles,OU=Openstack,OU=yyy,DC=zzz,DC=com
role_objectclass = organizationalRole
role_id_attribute = cn
role_name_attribute = cn
role_member_attribute = roleOccupant
role_allow_create = True
role_allow_update = True
role_allow_delete = True

默认情况下,ldap配置中user_id_attribute对应的值不支持中文,否则对应的用户创建资源时将会报如下错误。

1
DBError: (pymysql.err.InternalError) (1267, u"Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='") [SQL: u'SELECT users.id \nFROM users \nWHERE users.external_id = %(external_id_1)s'] [parameters: {u'external_id_1': u'\u6797\u6587\u80dc'}] (Background on this error at: http://sqlalche.me/e/2j85)
坚持原创技术分享,您的支持将鼓励我继续创作!
0%