diff --git a/doc/source/install-guide/configure-keystone.rst b/doc/source/install-guide/configure-keystone.rst index e2e89361af..8bdabb7dc8 100644 --- a/doc/source/install-guide/configure-keystone.rst +++ b/doc/source/install-guide/configure-keystone.rst @@ -17,38 +17,47 @@ options. .. _Securing services with SSL certificates: configure-sslcertificates.html -Special considerations when using LDAP or AD backends -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Implementing LDAP (or AD) Back-Ends +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configuring LDAP or Active Directory (AD) backends for keystone can make -deployment easier, but there are special considerations for these types of -deployments. +In many environments there may already be a LDAP (or Active Directory) service +available which already has Users, Groups and User-Group assignment data. +Keystone can be configured to make use of the LDAP service using +Domain-specific Back-End configuration. -Creating users -"""""""""""""" +While it is possible to set the Keystone Identity Back-End to use LDAP for +the Default domain, this is not recommended. It is a better practice to use +the Default domain for service accounts and to configure additional Domains +for LDAP services which provide general User/Group data. -During an OpenStack-Ansible deployment, the individual roles that deploy -various OpenStack services will attempt to create users in keystone. For -deployments where keystone uses LDAP as an authentication backend, these users -must be created **prior** to the running the OpenStack-Ansible playbooks. The -tasks for adding keystone users within individual role playbooks will be -skipped. +Example implementation in user_variables.yml: -Stacked authentication -"""""""""""""""""""""" +keystone_ldap: + Users: + url: "ldap://10.10.10.10" + user: "root" + password: "secrete" + ... + Admins: + url: "ldap://20.20.20.20" + user: "root" + password: "secrete" + ... -Some deployers may prefer to use "stacked" authentication where some users -exist in a SQL backend while other users exist in an LDAP or Active Directory -(AD) backend. This can be useful for deploys who want to reduce the number of -service accounts that must exist in LDAP or AD. +This will place two configuration files into /etc/keystone/domains/, both of +which will be configured to use the LDAP driver. -For more details on stacked authentication, see `Matt Fischer's blog post`_ or -review IBM's documentation titled `Configure OpenStack Keystone support for -domain-specific corporate directories`_. + - keystone.Users.conf + - keystone.Admins.conf -.. _Matt Fischer's blog post: http://www.mattfischer.com/blog/?p=576 -.. _Configure OpenStack Keystone support for domain-specific corporate directories: http://www.ibm.com/developerworks/cloud/library/cl-configure-keystone-ldap-and-active-directory/index.html +Each first level key entry is a domain name. Each entry below that are +key-value pairs for the 'ldap' section in the configuration file. --------------- +More details regarding valid configuration for the LDAP Identity Back-End can +be found in the `Keystone Developer Documentation`_ and the +`OpenStack Admin Guide`_. + +.. _Keystone Developer Documentation: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider +.. _OpenStack Admin Guide: http://docs.openstack.org/admin-guide-cloud/keystone_integrate_identity_backend_ldap.html .. include:: navigation.txt diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index cacba44229..740d55c0ef 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -87,7 +87,7 @@ dhcp_domain: openstacklocal #openstack_service_internaluri_proto: http ## LDAP enabled toggle -service_ldap_backend_enabled: "{{ keystone_ldap is defined }}" +service_ldap_backend_enabled: "{{ keystone_ldap is defined and keystone_ldap.Default is defined }}" ## Aodh diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml index 7feda0cc8f..299c34a6d8 100644 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ b/playbooks/roles/os_keystone/defaults/main.yml @@ -165,22 +165,26 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter # If set this will enable dog pile cache for keystone. # keystone_cache_backend_argument: url:127.0.0.1:11211 -## LDAP section -# Define keystone ldap information here. +## LDAP Section +# Define Keystone LDAP domain configuration here. +# This may be used to add configuration for a LDAP identity back-end. # See the http://docs.openstack.org/admin-guide-cloud/keystone_integrate_with_ldap.html -# for more information on available options. The sections here are defined as key: value pairs. Each -# top level key bellow ``keystone_ldap`` is a section. +# +# Each top-level entry is a domain name. Each entry below that are key: value pairs for +# the ldap section in the domain-specific configuraiton file. +# # (EXAMPLE LAYOUT) # keystone_ldap: -# ldap: +# Users: # url: "ldap://127.0.0.1" # user: "root" # password: "secrete" # ... -keystone_ldap_identity_driver: ldap +keystone_ldap: {} keystone_ldap_domain_config_dir: /etc/keystone/domains + # If you want to regenerate the keystone users SSH keys, on each run, set this var to True # Otherwise keys will be generated on the first run and not regenerated each run. keystone_recreate_keys: False diff --git a/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml new file mode 100644 index 0000000000..c048b7c2a2 --- /dev/null +++ b/playbooks/roles/os_keystone/tasks/keystone_ldap_setup.yml @@ -0,0 +1,41 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +- name: Create Keystone LDAP domains + keystone: + command: ensure_domain + domain_name: "{{ item.key }}" + token: "{{ keystone_auth_admin_token }}" + endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" + with_dict: keystone_ldap + run_once: true + tags: + - keystone-ldap-domain-create + +- name: Create Keystone LDAP domain configs + template: + src: keystone.domain.conf.j2 + dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf" + owner: "{{ keystone_system_user_name }}" + group: "{{ keystone_system_group_name }}" + mode: "0644" + with_dict: keystone_ldap + notify: + - Restart Apache + tags: + - keystone-ldap-domain-config + diff --git a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml index 659cf9ef2f..7559909f6f 100644 --- a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml +++ b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml @@ -27,10 +27,6 @@ dest: "/etc/keystone/keystone.conf" config_overrides: "{{ keystone_keystone_conf_overrides }}" config_type: "ini" - - src: "keystone.Default.conf.j2" - dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf" - config_overrides: "{{ keystone_keystone_default_conf_overrides }}" - config_type: "ini" - src: "keystone-paste.ini.j2" dest: "/etc/keystone/keystone-paste.ini" config_overrides: "{{ keystone_keystone_paste_ini_overrides }}" diff --git a/playbooks/roles/os_keystone/tasks/main.yml b/playbooks/roles/os_keystone/tasks/main.yml index 0d416f5436..f7b278f4d4 100644 --- a/playbooks/roles/os_keystone/tasks/main.yml +++ b/playbooks/roles/os_keystone/tasks/main.yml @@ -47,6 +47,11 @@ when: > inventory_hostname == groups['keystone_all'][0] +- include: keystone_ldap_setup.yml + tags: + - keystone-config + - keystone-ldap + - include: keystone_federation_sp_idp_setup.yml when: > keystone_sp is defined and diff --git a/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2 deleted file mode 100644 index 96c62ee252..0000000000 --- a/playbooks/roles/os_keystone/templates/keystone.Default.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# LDAP configuration options -{% if keystone_ldap is defined %} -[identity] -driver = {{ keystone_ldap_identity_driver }} - -{% for section in keystone_ldap|dictsort %} -[{{ section.0 }}] -{% for key, value in section.1.items() %} -{{ key }} = {{ value }} -{% endfor %} -{% endfor %} -{% endif %} diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2 index 21b9a20e1c..0599a7f02b 100644 --- a/playbooks/roles/os_keystone/templates/keystone.conf.j2 +++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2 @@ -64,8 +64,10 @@ max_active_keys = {{ keystone_fernet_tokens_max_active_keys }} [identity] -driver = {{ keystone_identity_driver }} -{% if keystone_ldap is defined and keystone_ldap.ldap %} +{% if keystone_ldap.Default is not defined %} +driver = sql +{% endif %} +{% if keystone_ldap | length > 0 %} domain_config_dir = {{ keystone_ldap_domain_config_dir }} domain_specific_drivers_enabled = True {% endif %} diff --git a/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2 new file mode 100644 index 0000000000..bec3f328d2 --- /dev/null +++ b/playbooks/roles/os_keystone/templates/keystone.domain.conf.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +[identity] +driver = ldap + +[ldap] +{% for key, value in item.value | dictsort %} +{{ key }} = {{ value }} +{% endfor %} diff --git a/releasenotes/notes/multiple-ldap-domains-f188f65678216587.yaml b/releasenotes/notes/multiple-ldap-domains-f188f65678216587.yaml new file mode 100644 index 0000000000..1aa13478de --- /dev/null +++ b/releasenotes/notes/multiple-ldap-domains-f188f65678216587.yaml @@ -0,0 +1,14 @@ +--- +features: + - Keystone can now be configured for multiple LDAP or Active Directory + identity back-ends. Configuration of this feature is documented in the + `Keystone Configuration `_ + section of the `Install Guide `_. +upgrade: + - The first tier of the ``keystone_ldap`` dictionary variable now relates to + the Keystone Domain name. An existing ``keystone_ldap`` configuration entry + can be converted by renaming the ``ldap`` key to the domain name 'Default'. + **Note** that the domain name entry is case-sensitive. + - The ``keystone_ldap_identity_driver`` variable has been removed. The driver + for an LDAP back-end in Keystone now simply uses the value 'ldap'. There + are no other back-end options for Keystone at this time.