Merge "Cleanup LDAP integration guide"
This commit is contained in:
Zuul
Gerrit Code Review
commit
2810e95f9e
|
|
@ -12,14 +12,14 @@ Introduction
|
|||
LDAP support in keystone is read-only. You can use it to back an entire
|
||||
OpenStack deployment to a single LDAP server, or you can use it to back
|
||||
separate LDAP servers to specific keystone domains. Users within those domains
|
||||
will can authenticate against keystone, assume role assignments, and interact
|
||||
with other OpenStack services.
|
||||
can authenticate against keystone, assume role assignments, and interact with
|
||||
other OpenStack services.
|
||||
|
||||
Configuration
|
||||
=============
|
||||
|
||||
To deploy an OpenLDAP server, make sure ``ldap`` is added to the list of
|
||||
``ENABLED_SERVICES``::
|
||||
``ENABLED_SERVICES`` in the ``local.conf`` file::
|
||||
|
||||
enable_service ldap
|
||||
|
||||
|
|
@ -35,9 +35,9 @@ Devstack will prompt you for a password when running ``stack.sh`` if
|
|||
|
||||
At this point, devstack should have everything it needs to deploy OpenLDAP,
|
||||
bootstrap it with a minimal set of users, and configure it to back to a domain
|
||||
in keystone::
|
||||
in keystone. You can do this by running the ``stack.sh`` script::
|
||||
|
||||
./stack.sh
|
||||
$ ./stack.sh
|
||||
|
||||
Once ``stack.sh`` completes, you should have a running keystone deployment with
|
||||
a basic set of users. It is important to note that not all users will live
|
||||
|
|
@ -63,7 +63,7 @@ Listing Users
|
|||
To list all users in LDAP directly, you can use ``ldapsearch`` with the LDAP
|
||||
user bootstrapped by devstack::
|
||||
|
||||
ldapsearch -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
$ ldapsearch -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
-H ldap://localhost -b dc=openstack,dc=org
|
||||
|
||||
As you can see, devstack creates an OpenStack domain called ``openstack.org``
|
||||
|
|
@ -93,7 +93,7 @@ example LDIF that can be used to create a new LDAP user, let's call it
|
|||
|
||||
Now, we use the ``Manager`` user to create a user for Peter in LDAP::
|
||||
|
||||
ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
$ ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
-H ldap://localhost -c -f peter.ldif.in
|
||||
|
||||
We should be able to assign Peter roles on projects. After Peter has some level
|
||||
|
|
@ -125,7 +125,7 @@ Deleting Users
|
|||
We can use the same basic steps to remove users from LDAP, but instead of using
|
||||
LDIFs, we can just pass the ``dn`` of the user we want to delete::
|
||||
|
||||
ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
$ ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
-H ldap://localhost cn=peter,ou=Users,dc=openstack,dc=org
|
||||
|
||||
Group Management
|
||||
|
|
@ -153,7 +153,7 @@ Let's define a specific group with the following LDIF::
|
|||
We can create the group using the same ``ldapadd`` command as we did with
|
||||
users::
|
||||
|
||||
ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
$ ldapadd -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
-H ldap://localhost -c -f guardian-group.ldif.in
|
||||
|
||||
If we check the group membership in Horizon, we'll see that only Peter is a
|
||||
|
|
@ -167,7 +167,7 @@ Deleting Groups
|
|||
|
||||
Just like users, groups can be deleted using the ``dn``::
|
||||
|
||||
ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
$ ldapdelete -x -w LDAP_PASSWORD -D cn=Manager,dc=openstack,dc=org \
|
||||
-H ldap://localhost cn=guardians,ou=UserGroups,dc=openstack,dc=org
|
||||
|
||||
Note that this operation will not remove users within that group. It will only
|
||||
|
|
|
|||
Loading…
Reference in New Issue