LDAP

This feature integrates the OpenStack Keystone service with an external LDAP service. Effectively, the feature maps LDAP-based users to cloud users via an OpenStack domain.

[note type=“caution”] Note: This feature is currently only supported in channel 2023.2 of the openstack snap. [/note]

Enabling LDAP

To enable the LDAP feature, run the following command:

sunbeam enable ldap

Disabling LDAP

To disable the LDAP feature, run the following command:

sunbeam disable ldap

Usage

Adding a domain

Adding a domain refers to integrating Keystone with one or more existing LDAP servers.

  1. Create a YAML file with details of how Keystone should integrate with the LDAP server. At a minimum, this should include a URL, user, password, and suffix. See the Keystone LDAP integration guide for configuration guidance.

    For example:

    dom1.yaml:

url: ldaps://ldap.example.com:636
user: cn=admin,dc=example,dc=com
password: mypassword
suffix: dc=example,dc=com

  1. If the connection requires TLS, place the CA certificate in a file:

    dom1.cert:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

  1. Use the sunbeam ldap add-domain command to set up the domain, adding the --ca-cert-file option if TLS is in use:

sunbeam ldap add-domain \
   --domain-config-file ./dom1.yaml \
   --ca-cert-file ./dom1.cert dom1

  1. A new LDAP-backed domain will be created in Keystone. Verify this with the native openstack CLI:

    openstack user list –domain dom1

+-------------------------------------------+---------------+
|                                           | Name          |
+-------------------------------------------+---------------+
| 941b5daa177ea518b5fc3b85fe9269729eb6abbb1 | John Hethel   |
| d3b9d2bea306a049d4f56d30d6bba97b24c6db882 | Ryan Trunch   |
| 7b699dc9a8037d6968c42c5b7b5d5a020d0f58e40 | Michael Diss  |
+-------------------------------------------+---------------+

Updating a domain

To update an LDAP domain the process is similar to adding one:

sunbeam ldap update-domain --domain-config-file ./dom1.yaml --ca-cert-file ./dom1.cert  dom1

Listing domains

To list LDAP domains:

sunbeam ldap list-domains

Removing a domain

To remove an LDAP domain:

sunbeam ldap remove-domain <domain-name>

[note type=“important”] Important: Since configuration (e.g. OpenStack projects) could have been made to the domain after it was added, the remove-domain command only removes the LDAP connection. To completely remove the domain, the openstack CLI should be used (i.e. openstack domain delete). [/note]