I got keystone in my Bifrost install to talk via LDAP to our Freeipa server. Here’s what I had to do.
I started with a new install of bifrost, using Keystone and TLS.
./bifrost-cli install --enable-keystone --enable-tls --network-interface enP4p4s0f0np0 --dhcp-pool 192.168.116.25-192.168.116.75
After making sure that Keystone could work for normal things;
source /opt/stack/bifrost/bin/activate
export OS_CLOUD=bifrost-admin
openstack user list -f yaml
- ID: 1751a5bb8b4a4f0188069f8cb4f8e333
Name: admin
- ID: 5942330b4f2c4822a9f2cdf45ad755ed
Name: ironic
- ID: 43e30ad5bf0349b7b351ca2e86fd1628
Name: ironic_inspector
- ID: 0c490e9d44204cc18ec1e507f2a07f83
Name: bifrost_user
I had to install python3-ldap and python3-ldappool .
sudo apt install python3-ldap python3-ldappool
Now create a domain for the LDAP data.
openstack domain create freeipa
...
openstack domain show freeipa -f yaml
description: ''
enabled: true
id: 422608e5c8d8428cb022792b459d30bf
name: freeipa
options: {}
tags: []
Edit /etc/keystone/keystone.conf to support domin specific backends and back them with file config. When you are done, your identity section should look like this.
[identity]
domain_specific_drivers_enabled=true
domain_config_dir=/etc/keystone/domains
driver = sql
Create the corresponding directory for the new configuration files.
sudo mkdir /etc/keystone/domains/
Add in a configuration file for your LDAP server. Since I called my domain freeipa I have to name the config file /etc/keystone/domains/keystone.freeipa.conf
[identity]
driver = ldap
[ldap]
url = ldap://den-admin-01
user_tree_dn = cn=users,cn=accounts,dc=younglogic,dc=com
user_objectclass = person
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_allow_create = false
user_allow_update = false
user_allow_delete = false
group_tree_dn = cn=groups,cn=accounts,dc=younglogic,dc=com
group_objectclass = groupOfNames
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute = member
group_desc_attribute = description
group_allow_create = false
group_allow_update = false
group_allow_delete = false
user_enabled_attribute = nsAccountLock
user_enabled_default = False
user_enabled_invert = true
To make changes, to restart sudo systemctl restart uwsgi@keystone-public
sudo systemctl restart uwsgi@keystone-public
And test that it worked
openstack user list -f yaml --domain freeipa
- ID: b3054e3942f06016f8b9669b068e81fd2950b08c46ccb48032c6c67053e03767
Name: renee
- ID: d30e7bc818d2f633439d982783a2d145e324e3187c0e67f71d80fbab065d096a
Name: ann
This same approach can work if you need to add more than one LDAP server to your Keystone deployment.
