|
| 1 | +:_mod-docs-content-type: PROCEDURE |
| 2 | +[id='configuring-ldap-with-domain-specific-drivers_{context}'] |
| 3 | + |
| 4 | += Configuring LDAP with domain-specific drivers |
| 5 | + |
| 6 | +If you need to integrate the {identity_service_first_ref} with one or more LDAP servers using domain-specific configurations, you can enable domain-specific drivers and provide the necessary LDAP settings. |
| 7 | + |
| 8 | +This involves two main steps: |
| 9 | +. Create the Kubernetes secret that holds the domain-specific LDAP configuration files that the {identity_service} uses. Each file within the secret corresponds to an LDAP domain. |
| 10 | +. Patch the `OpenStackControlPlane` custom resource (CR) to enable domain-specific drivers for the {identity_service} and mount a secret that contains the LDAP configurations. |
| 11 | + |
| 12 | + |
| 13 | +.Procedure |
| 14 | + |
| 15 | +. To create the `keystone-domains` secret that stores the actual LDAP configuration files that {identity_service} uses, create a local file that includes your LDAP configuration, for example, `keystone.myldapdomain.conf`: |
| 16 | ++ |
| 17 | +The following example file includes the configuration for a single LDAP domain. If you have multiple LDAP domains, create a configuration file for each, for example, `keystone.DOMAIN_ONE.conf`, `keystone.DOMAIN_TWO.conf`. |
| 18 | ++ |
| 19 | +[source,ini] |
| 20 | +---- |
| 21 | +[identity] |
| 22 | +driver = ldap |
| 23 | +[ldap] |
| 24 | +url = ldap://<ldap_server_host>:<ldap_server_port> |
| 25 | +user = <bind_dn_user> |
| 26 | +password = <bind_dn_password> |
| 27 | +suffix = <user_tree_dn> |
| 28 | +query_scope = sub |
| 29 | +# User configuration |
| 30 | +user_tree_dn = <user_tree_dn> |
| 31 | +user_objectclass = <user_object_class> |
| 32 | +user_id_attribute = <user_id_attribute> |
| 33 | +user_name_attribute = <user_name_attribute> |
| 34 | +user_mail_attribute = <user_mail_attribute> |
| 35 | +user_enabled_attribute = <user_enabled_attribute> |
| 36 | +user_enabled_default = true |
| 37 | +# Group configuration |
| 38 | +group_tree_dn = <group_tree_dn> |
| 39 | +group_objectclass = <group_object_class> |
| 40 | +group_id_attribute = <group_id_attribute> |
| 41 | +group_name_attribute = <group_name_attribute> |
| 42 | +group_member_attribute = <group_member_attribute> |
| 43 | +group_members_are_ids = true |
| 44 | +---- |
| 45 | ++ |
| 46 | +* Replace the values, such as `<ldap_server_host>`, `<bind_dn_user>`, `<user_tree_dn>`, and so on, with your LDAP server details. |
| 47 | + |
| 48 | +. Create the secret from this file: |
| 49 | ++ |
| 50 | +---- |
| 51 | +$ oc create secret generic keystone-domains \ |
| 52 | + -n <namespace> \ |
| 53 | + --from-file=<keystone.DOMAIN_NAME.conf> |
| 54 | +---- |
| 55 | ++ |
| 56 | +* Replace `<namespace>` with the namespace where your {identity_service} is deployed. |
| 57 | +* Replace `<keystone.DOMAIN_NAME.conf>` with the name of your local configuration file. If applicable, include additional configuration files by using the `--from-file` option. After creating the secret, you can remove the local configuration file if it is no longer needed, or store it securely. |
| 58 | ++ |
| 59 | +[IMPORTANT] |
| 60 | +The name of the file that you provide to `--from-file`, for example `keystone.DOMAIN_NAME.conf`, is critical. The {identity_service} uses this filename to map incoming authentication requests for a domain to the correct LDAP configuration. Ensure that `DOMAIN_NAME` matches the name of the domain you are configuring in the {identity_service}. |
| 61 | + |
| 62 | +. Patch the `OpenStackControlPlane` CR: |
| 63 | ++ |
| 64 | +---- |
| 65 | +$ oc patch openstackcontrolplane <cr_name> \ |
| 66 | + -n <namespace> \ |
| 67 | + --type=merge \ |
| 68 | + -p ' |
| 69 | +spec: |
| 70 | + keystone: |
| 71 | + template: |
| 72 | + customServiceConfig: | |
| 73 | + [identity] |
| 74 | + domain_specific_drivers_enabled = true |
| 75 | + extraMounts: |
| 76 | + - name: v1 |
| 77 | + region: r1 |
| 78 | + extraVol: |
| 79 | + - propagation: |
| 80 | + - Keystone |
| 81 | + extraVolType: Conf |
| 82 | + volumes: |
| 83 | + - name: keystone-domains |
| 84 | + secret: |
| 85 | + secretName: keystone-domains |
| 86 | + mounts: |
| 87 | + - name: keystone-domains |
| 88 | + mountPath: "/etc/keystone/domains" |
| 89 | + readOnly: true |
| 90 | +---- |
| 91 | ++ |
| 92 | +* Replace `<cr_name>` with the name of your `OpenStackControlPlane` CR (for example, `openstack`) and `<namespace>` with the namespace where it is deployed (for example, `openstack`). |
| 93 | +* This patch does the following: |
| 94 | +** Sets `spec.keystone.template.customServiceConfig`. Ensure that you do not overwrite any previously defined value. |
| 95 | +** Defines `spec.keystone.template.extraMounts` to mount a secret named `keystone-domains` into the {identity_service} pods at `/etc/keystone/domains`. This secret contains your LDAP configuration files. |
| 96 | ++ |
| 97 | +[NOTE] |
| 98 | +You might need to wait a few minutes for the changes to propagate and for the {identity_service} pods to be updated. |
0 commit comments