|
| 1 | +:_mod-docs-content-type: PROCEDURE |
| 2 | +[id='configuring-ldap-with-domain-specific-drivers_{context}'] |
| 3 | + |
| 4 | += Configuring LDAP with domain-specific drivers |
| 5 | + |
| 6 | +If you need to integrate the {identity_service_first_ref} with one or more LDAP servers using domain-specific configurations, you can enable domain-specific drivers and provide the necessary LDAP settings. |
| 7 | + |
| 8 | +This involves two main steps: |
| 9 | + |
| 10 | +. Create the secret that holds the domain-specific LDAP configuration files that the {identity_service} uses. Each file within the secret corresponds to an LDAP domain. |
| 11 | +. Patch the `OpenStackControlPlane` custom resource (CR) to enable domain-specific drivers for the {identity_service} and mount a secret that contains the LDAP configurations. |
| 12 | + |
| 13 | + |
| 14 | +.Procedure |
| 15 | + |
| 16 | +. To create the `keystone-domains` secret that stores the actual LDAP configuration files that {identity_service} uses, create a local file that includes your LDAP configuration, for example, `keystone.myldapdomain.conf`: |
| 17 | ++ |
| 18 | +The following example file includes the configuration for a single LDAP domain. If you have multiple LDAP domains, create a configuration file for each, for example, `keystone.DOMAIN_ONE.conf`, `keystone.DOMAIN_TWO.conf`. |
| 19 | ++ |
| 20 | +[source,ini] |
| 21 | +---- |
| 22 | +[identity] |
| 23 | +driver = ldap |
| 24 | +[ldap] |
| 25 | +url = ldap://<ldap_server_host>:<ldap_server_port> |
| 26 | +user = <bind_dn_user> |
| 27 | +password = <bind_dn_password> |
| 28 | +suffix = <user_tree_dn> |
| 29 | +query_scope = sub |
| 30 | +# User configuration |
| 31 | +user_tree_dn = <user_tree_dn> |
| 32 | +user_objectclass = <user_object_class> |
| 33 | +user_id_attribute = <user_id_attribute> |
| 34 | +user_name_attribute = <user_name_attribute> |
| 35 | +user_mail_attribute = <user_mail_attribute> |
| 36 | +user_enabled_attribute = <user_enabled_attribute> |
| 37 | +user_enabled_default = true |
| 38 | +# Group configuration |
| 39 | +group_tree_dn = <group_tree_dn> |
| 40 | +group_objectclass = <group_object_class> |
| 41 | +group_id_attribute = <group_id_attribute> |
| 42 | +group_name_attribute = <group_name_attribute> |
| 43 | +group_member_attribute = <group_member_attribute> |
| 44 | +group_members_are_ids = true |
| 45 | +---- |
| 46 | ++ |
| 47 | +* Replace the values, such as `<ldap_server_host>`, `<bind_dn_user>`, `<user_tree_dn>`, and so on, with your LDAP server details. |
| 48 | + |
| 49 | +. Create the secret from this file: |
| 50 | ++ |
| 51 | +---- |
| 52 | +$ oc create secret generic keystone-domains --from-file=<keystone.DOMAIN_NAME.conf> |
| 53 | +---- |
| 54 | ++ |
| 55 | +* Replace `<keystone.DOMAIN_NAME.conf>` with the name of your local configuration file. If applicable, include additional configuration files by using the `--from-file` option. After creating the secret, you can remove the local configuration file if it is no longer needed, or store it securely. |
| 56 | ++ |
| 57 | +[IMPORTANT] |
| 58 | +The name of the file that you provide to `--from-file`, for example `keystone.DOMAIN_NAME.conf`, is critical. The {identity_service} uses this filename to map incoming authentication requests for a domain to the correct LDAP configuration. Ensure that `DOMAIN_NAME` matches the name of the domain you are configuring in the {identity_service}. |
| 59 | + |
| 60 | +. Patch the `OpenStackControlPlane` CR: |
| 61 | ++ |
| 62 | +---- |
| 63 | +$ oc patch openstackcontrolplane <cr_name> --type=merge -p ' |
| 64 | +spec: |
| 65 | + keystone: |
| 66 | + template: |
| 67 | + customServiceConfig: | |
| 68 | + [identity] |
| 69 | + domain_specific_drivers_enabled = true |
| 70 | + extraMounts: |
| 71 | + - name: v1 |
| 72 | + region: r1 |
| 73 | + extraVol: |
| 74 | + - propagation: |
| 75 | + - Keystone |
| 76 | + extraVolType: Conf |
| 77 | + volumes: |
| 78 | + - name: keystone-domains |
| 79 | + secret: |
| 80 | + secretName: keystone-domains |
| 81 | + mounts: |
| 82 | + - name: keystone-domains |
| 83 | + mountPath: "/etc/keystone/domains" |
| 84 | + readOnly: true |
| 85 | +---- |
| 86 | ++ |
| 87 | +* Replace `<cr_name>` with the name of your `OpenStackControlPlane` CR (for example, `openstack`). |
| 88 | +* This patch does the following: |
| 89 | +** Sets `spec.keystone.template.customServiceConfig`. Ensure that you do not overwrite any previously defined value. |
| 90 | +** Defines `spec.keystone.template.extraMounts` to mount a secret named `keystone-domains` into the {identity_service} pods at `/etc/keystone/domains`. This secret contains your LDAP configuration files. |
| 91 | ++ |
| 92 | +[NOTE] |
| 93 | +You might need to wait a few minutes for the changes to propagate and for the {identity_service} pods to be updated. |
| 94 | + |
| 95 | +.Verification |
| 96 | + |
| 97 | +. Verify that users from the LDAP domain are accessible: |
| 98 | ++ |
| 99 | +---- |
| 100 | +$ oc exec -t openstackclient -- openstack user list --domain <DOMAIN_NAME> |
| 101 | +---- |
| 102 | ++ |
| 103 | +This command should return a list of users from your LDAP server. |
| 104 | + |
| 105 | +. Verify that groups from the LDAP domain are accessible: |
| 106 | ++ |
| 107 | +---- |
| 108 | +$ oc exec -t openstackclient -- openstack group list --domain <DOMAIN_NAME> |
| 109 | +---- |
| 110 | ++ |
| 111 | +This command should return a list of groups from your LDAP server. |
| 112 | + |
| 113 | +. Test authentication with an LDAP user: |
| 114 | ++ |
| 115 | +---- |
| 116 | +$ oc exec -t openstackclient -- openstack --os-auth-url <KEYSTONE_AUTH_URL> --os-identity-api-version 3 --os-user-domain-name <DOMAIN_NAME> --os-username <LDAP_USERNAME> --os-password <LDAP_PASSWORD> token issue |
| 117 | +---- |
| 118 | ++ |
| 119 | +* Replace `<KEYSTONE_AUTH_URL>` with the {identity_service} authentication URL. |
| 120 | +* Replace `<DOMAIN_NAME>` with your LDAP domain name. |
| 121 | +* Replace `<LDAP_USERNAME>` and `<LDAP_PASSWORD>` with valid LDAP user credentials. |
| 122 | ++ |
| 123 | +If successful, this command returns a token, confirming that LDAP authentication is working correctly. |
| 124 | + |
| 125 | +. Verify group membership for an LDAP user: |
| 126 | ++ |
| 127 | +---- |
| 128 | +$ oc exec -t openstackclient -- openstack group contains user --group-domain <DOMAIN_NAME> --user-domain <DOMAIN_NAME> <GROUP_NAME> <USERNAME> |
| 129 | +---- |
| 130 | ++ |
| 131 | +* Replace `<DOMAIN_NAME>`, `<GROUP_NAME>`, and `<USERNAME>` with appropriate values from your LDAP server. |
| 132 | ++ |
| 133 | +This command verifies that the user is properly associated with the group through LDAP. |
0 commit comments