This plugin integrates the OpenStack Keystone service with an external LDAP service. Effectively, the plugin maps LDAP-based users to cloud users via an OpenStack domain.

Note: This feature is currently only supported in channel 2023.2/edge of the openstack snap.

Enabling LDAP

To enable the LDAP plugin, run the following command:

sunbeam enable ldap

Disabling LDAP

To disable the LDAP plugin, run the following command:

sunbeam disable ldap


Adding a domain

Adding a domain refers to integrating Keystone with one or more existing LDAP servers.

  1. Create a YAML file with details of how Keystone should integrate with the LDAP server. At a minimum, this should include a URL, user, password, and suffix. See the Keystone LDAP integration guide for configuration guidance.

    For example:


    url: ldaps://ldap.example.com:636
    user: cn=admin,dc=example,dc=com
    password: mypassword
    suffix: dc=example,dc=com
  1. If the connection requires TLS, place the CA certificate in a file:


    -----END CERTIFICATE-----
  1. Use the sunbeam ldap add-domain command to set up the domain, adding the --ca-cert-file option if TLS is in use:
    sunbeam ldap add-domain \
       --domain-config-file ./dom1.yaml \
       --ca-cert-file ./dom1.cert dom1
  1. A new LDAP-backed domain will be created in Keystone. Verify this with the native openstack CLI:

    openstack user list --domain dom1

    |                                           | Name          |
    | 941b5daa177ea518b5fc3b85fe9269729eb6abbb1 | John Hethel   |
    | d3b9d2bea306a049d4f56d30d6bba97b24c6db882 | Ryan Trunch   |
    | 7b699dc9a8037d6968c42c5b7b5d5a020d0f58e40 | Michael Diss  |

Updating a domain

To update an LDAP domain the process is similar to adding one:

sunbeam ldap update-domain --domain-config-file ./dom1.yaml --ca-cert-file ./dom1.cert  dom1

Listing domains

To list LDAP domains:

sunbeam ldap list-domains

Removing a domain

To remove an LDAP domain:

sunbeam ldap remove-domain <domain-name>

Important: Since configuration (e.g. OpenStack projects) could have been made to the domain after it was added, the remove-domain command only removes the LDAP connection. To completely remove the domain, the openstack CLI should be used (i.e. openstack domain delete).