Configuring Keystone identity backend with read-only LDAP

You can configure Keystone to use read-only LDAP as the user identity backend.

About this task

Note: IBM® Cloud Manager with OpenStack version 4.3 fix pack 3 introduces the ability to configure the Keystone identity backend with read-only LDAP. You must use fix pack 3 or later to configure read-only LDAP.
To configure the Keystone identity backend with read-only LDAP, change the following options in your environment file.

Procedure

  1. Update the following value in the environment file to enable identity backend with read-only LDAP.
    • ibm-openstack.identity.ldap.enable: Set to true.
  2. Update the following values in the environment file to configure your LDAP server:
    • ibm-openstack.identity.ldap.domain_name: Set to your_domain_name, which will be created.
    • ibm-openstack.identity.ldap.url: Set to your_ldap_server_url.
      Note: The controller node should be able to access the LDAP server.
    • ibm-openstack.identity.ldap.suffix: Set to your_ldap_server_suffix.
    • ibm-openstack.identity.ldap.user_tree_dn: Set to your_ldap_server_user_tree_dn.
    • ibm-openstack.identity.ldap.user_filter: Set to your_ldap_server_user_filter.
      Note: You must enclose the filter using ( ). For example, ibm-openstack.identity.ldap.user_filter: (dept=dept_code).
    • ibm-openstack.identity.ldap.user_objectclass: Set to your_ldap_server_user_objectclass.
    • ibm-openstack.identity.ldap.user_id_attribute: Set to your_ldap_server_user_id_attribute.
    • ibm-openstack.identity.ldap.user_name_attribute: Set to your_ldap_server_user_name_attribute.
    • ibm-openstack.identity.ldap.group_tree_dn: Set to your_ldap_server_group_tree_dn.
    • ibm-openstack.identity.ldap.group_filter: Set to your_ldap_server_group_filter.
      Note: You must enclose the filter using ( ). For example, ibm-openstack.identity.ldap.group_filter: (cn=doesntmatch).
    • ibm-openstack.identity.ldap.admin_user: Set to your_ldap_server_admin_user or leave it nil, an optional attribute.
    • ibm-openstack.identity.ldap.admin_pass: Set to password_of_your_ldap_server_admin_user or leave it nil, an optional attribute.
    • ibm-openstack.identity.ldap.project: Set to project_name, which is related with your_ldap_server or leave it nil, an optional attribute.
    • ibm-openstack.identity.ldap.user_enabled_attribute: Set to your LDAP user enabled flag attribute. This will be different based on the LDAP user schema.
    • ibm-openstack.identity.ldap.use_tls: Set to your LDAP TLS enable flag attribute. If the LDAP is not configure with SSL/TLS, set it to false.
    Note: For additional LDAP user configuration options, that aren't frequently used, see the OpenStack configuration manual.
    Most LDAP general and user configuration options that are used have a prefix with 'user_' and must be customized with your environment attributes. For example, 
    ibm-openstack.identity.ldap.<option_name>:<option_value>
  3. When complete, return to the relevant topology deployment or update process and complete the remaining steps.
  4. If you are using the IBM Cloud Manager - Self Service user interface (UI), update the following values.
    Every user in the LDAP domain requires an extra role to access the IBM Cloud Manager - Self Service UI.
    1. Add the "user" role to every user in the new domain in the "Default" domain and the new domain.
      openstack --os-username=admin --os-password=openstack1 --os-identity-api-version=3 --os-auth-url=http://<your_controller_ip>:5000/v3 --os-user-domain-name=Default --os-project-name=admin role add user --user <your_user_UUID> --domain <ldap_domain_UUID>
    2. Add the "user" role to every user in the new domain in the "Public" project of the "Default" domain.
      openstack --os-username=admin --os-password=openstack1 --os-identity-api-version=3 --os-auth-url=http://<your_controller_ip>:5000/v3 --os-user-domain-name=Default --os-project-name=admin role add user --user <your_user_UUID> --domain default
openstack --os-username=admin --os-password=openstack1 --os-identity-api-version=3 --os-auth-url=http://<your_controller_ip>:5000/v3 --os-user-domain-name=Default --os-project-name=admin role add user --user <your_user_UUID> --project Public
  5. If you want the LDAP user to work as an administrator in IBM Cloud Manager - Dashboard, you must use the OpenStack command line to grant roles for the LDAP user for each project or domain. It is required to assign at least one project role.
    See the following example:
    $openstack --os-username=admin --os-password=openstack1 --os-identity-api-version=3 --os-auth-url=http://<your_controller_>:5000/v3 --os-user-domain-name=Default --os-project-name=admin role add admin --user <your_user_UUID> --project <your_project_UUID>
    For more information, see Managing with the IBM Cloud Manager - Dashboard.