This feature integrates the OpenStack Keystone service with an external LDAP service. Effectively, the feature maps LDAP-based users to cloud users via an OpenStack domain.
Note: This feature is currently only supported in channel 2023.2
of the openstack snap.
Enabling LDAP
To enable the LDAP feature, run the following command:
sunbeam enable ldap
Disabling LDAP
To disable the LDAP feature, run the following command:
sunbeam disable ldap
Usage
Adding a domain
Adding a domain refers to integrating Keystone with one or more existing LDAP servers.
-
Create a YAML file with details of how Keystone should integrate with the LDAP server. At a minimum, this should include a URL, user, password, and suffix. See the Keystone LDAP integration guide for configuration guidance.
For example:
dom1.yaml:
url: ldaps://ldap.example.com:636
user: cn=admin,dc=example,dc=com
password: mypassword
suffix: dc=example,dc=com
-
If the connection requires TLS, place the CA certificate in a file:
dom1.cert:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- Use the
sunbeam ldap add-domain
command to set up the domain, adding the--ca-cert-file
option if TLS is in use:
sunbeam ldap add-domain \
--domain-config-file ./dom1.yaml \
--ca-cert-file ./dom1.cert dom1
-
A new LDAP-backed domain will be created in Keystone. Verify this with the native
openstack
CLI:openstack user list --domain dom1
+-------------------------------------------+---------------+
| | Name |
+-------------------------------------------+---------------+
| 941b5daa177ea518b5fc3b85fe9269729eb6abbb1 | John Hethel |
| d3b9d2bea306a049d4f56d30d6bba97b24c6db882 | Ryan Trunch |
| 7b699dc9a8037d6968c42c5b7b5d5a020d0f58e40 | Michael Diss |
+-------------------------------------------+---------------+
Updating a domain
To update an LDAP domain the process is similar to adding one:
sunbeam ldap update-domain --domain-config-file ./dom1.yaml --ca-cert-file ./dom1.cert dom1
Listing domains
To list LDAP domains:
sunbeam ldap list-domains
Removing a domain
To remove an LDAP domain:
sunbeam ldap remove-domain <domain-name>
Important: Since configuration (e.g. OpenStack projects) could have been made to the domain after it was added, the remove-domain
command only removes the LDAP connection. To completely remove the domain, the openstack
CLI should be used (i.e. openstack domain delete
).