Adds Plugin Guide.
Documentation of LDAP plugin for Fuel-9.0 was added. Change-Id: Ied40e1d731feea6eee8c306b3fdef6487da2038e
|
@ -5,6 +5,5 @@ Appendix
|
||||||
Links
|
Links
|
||||||
=========================
|
=========================
|
||||||
|
|
||||||
- `Mirantis OpenStack User Guide <https://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html>`_
|
- `Mirantis OpenStack Documentation Center <https://docs.mirantis.com/openstack/fuel/fuel-9.0/>`_
|
||||||
- `Fuel Plugins Catalog <https://www.mirantis.com/products/openstack-drivers-and-plugins/fuel-plugins/>`_
|
- `Fuel Plugins Catalog <https://www.mirantis.com/products/openstack-drivers-and-plugins/fuel-plugins/>`_
|
||||||
- `Quick Start Guide <https://software.mirantis.com/quick-start/>`_
|
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
Release notes / Changelog
|
||||||
|
=========================
|
||||||
|
|
||||||
|
**3.0.0**
|
||||||
|
|
||||||
|
* Support of ldap proxy
|
||||||
|
* Compatibility with MOS 9.0
|
||||||
|
|
||||||
|
**2.0.0**
|
||||||
|
|
||||||
|
* Support of multi-domains
|
||||||
|
* Compatibility with MOS 8.0
|
||||||
|
|
||||||
|
**1.0.0**
|
||||||
|
|
||||||
|
* This is the first release of the plugin
|
|
@ -9,10 +9,10 @@ source_suffix = '.rst'
|
||||||
master_doc = 'index'
|
master_doc = 'index'
|
||||||
|
|
||||||
project = u'The LDAP plugin for Fuel'
|
project = u'The LDAP plugin for Fuel'
|
||||||
copyright = u'2015, Mirantis Inc.'
|
copyright = u'2016, Mirantis Inc.'
|
||||||
|
|
||||||
version = '1.0-1.0.0-1'
|
version = '3.0-3.0.0-1'
|
||||||
release = '1.0-1.0.0-1'
|
release = '3.0-3.0.0-1'
|
||||||
|
|
||||||
exclude_patterns = []
|
exclude_patterns = []
|
||||||
|
|
||||||
|
|
|
@ -5,26 +5,52 @@ Configuring LDAP plugin
|
||||||
#. Create a new OpenStack environment to use an existing LDAP server as authentication
|
#. Create a new OpenStack environment to use an existing LDAP server as authentication
|
||||||
backend for Keystone.
|
backend for Keystone.
|
||||||
For more information about environment creation, see `Mirantis OpenStack
|
For more information about environment creation, see `Mirantis OpenStack
|
||||||
User Guide <http://docs.mirantis.com/openstack
|
User Guide <http://docs.openstack.org/developer/fuel-docs
|
||||||
/fuel/fuel-7.0/user-guide.html#create-a-new-openstack-environment>`_.
|
/userdocs/fuel-user-guide/create-environment.html>`_.
|
||||||
|
|
||||||
#. Open *Settings* tab of the Fuel Web UI, scroll the page down and select
|
#. Open *Settings* tab of the Fuel Web UI, scroll the page down and select
|
||||||
the *LDAP plugin for Keystone* checkbox:
|
the *LDAP plugin for Keystone* checkbox:
|
||||||
|
|
||||||
.. image:: images/ldap-checkbox.png
|
.. image:: images/ldap_plugin.png
|
||||||
|
.. image:: images/enable_ldap_plugin.png
|
||||||
|
|
||||||
#. Fill in plugin settings into the text field. LDAP plugin features the following
|
#. Enter plugin settings into the text fields:
|
||||||
parameters to enter:
|
|
||||||
|
.. image:: images/settings.png
|
||||||
|
|
||||||
|
Specify domain name, LDAP URL, LDAP suffix:
|
||||||
|
|
||||||
|
.. image:: images/ldap_settings.png
|
||||||
|
.. image:: images/ldap_settings_suffix.png
|
||||||
|
|
||||||
|
Enable TLS use and put certificate if it is needed:
|
||||||
|
|
||||||
|
.. image:: images/tls_settings.png
|
||||||
|
|
||||||
|
Enable LDAP proxy and put custom config if it is needed:
|
||||||
|
|
||||||
|
.. image:: images/enable_ldap_proxy.png
|
||||||
|
.. image:: images/custom_proxy_configs.png
|
||||||
|
|
||||||
|
Specify LDAP user, password and other settings:
|
||||||
|
|
||||||
|
.. image:: images/user_ldap_settings.png
|
||||||
|
|
||||||
|
To use LDAP groups provide settings for it:
|
||||||
|
|
||||||
|
.. image:: images/group_ldap_settings.png
|
||||||
|
|
||||||
|
Fields description:
|
||||||
|
|
||||||
================================== ===============
|
================================== ===============
|
||||||
Field Comment
|
Field Comment
|
||||||
================================== ===============
|
================================== ===============
|
||||||
Domain name Name of the Keystone domain.
|
Domain name Name of the Keystone domain.
|
||||||
LDAP URL URL for connecting to the LDAP server.
|
LDAP URL URL for connecting to the LDAP server.
|
||||||
LDAP Suffix LDAP server suffix.
|
LDAP proxy Enable LDAP proxy.
|
||||||
Use TLS Enable TLS for communicating with the LDAP server.
|
Use TLS Enable TLS for communicating with the LDAP server.
|
||||||
CA Chain CA trust chain in PEM format.
|
CA Chain CA trust chain in PEM format.
|
||||||
|
LDAP Suffix LDAP server suffix.
|
||||||
LDAP User User BindDN to query the LDAP server.
|
LDAP User User BindDN to query the LDAP server.
|
||||||
LDAP User Password Password for the BindDN to query the LDAP
|
LDAP User Password Password for the BindDN to query the LDAP
|
||||||
server.
|
server.
|
||||||
|
@ -45,31 +71,62 @@ Configuring LDAP plugin
|
||||||
Group Name Attribute LDAP attribute mapped to group name.
|
Group Name Attribute LDAP attribute mapped to group name.
|
||||||
Group Member Attribute LDAP attribute that maps user to group.
|
Group Member Attribute LDAP attribute that maps user to group.
|
||||||
Group description Attribute LDAP attribute mapped to description.
|
Group description Attribute LDAP attribute mapped to description.
|
||||||
|
Page Size Attribute Maximum results per page.
|
||||||
|
Chase referrals Attribute Referral chasing behavior for queries.
|
||||||
|
List of additional Domains Blocks of additional domains/parameters that should be created.
|
||||||
|
List of custom LDAP proxy configs List of custom LDAP proxy configs.
|
||||||
|
|
||||||
================================== ===============
|
================================== ===============
|
||||||
|
|
||||||
|
|
||||||
.. image:: images/settings.png
|
#. To deploy an environment with support of multiple domains 'List of additional Domains'
|
||||||
|
text area should be used. All needed parameters that describes a domain should be copied there,
|
||||||
|
all parameters form a block of parameters.
|
||||||
|
|
||||||
* Specify domain name, LDAP URL, LDAP suffix:
|
.. image:: images/additional_domains.png
|
||||||
|
|
||||||
.. image:: images/ldap_settings.png
|
To add multiple domains such block of parameters should be added
|
||||||
|
to 'List of additional Domains' text area and these blocks should
|
||||||
|
be separated by empty line.
|
||||||
|
|
||||||
* Enable TLS use and put certificate if it is needed:
|
#. To set up an environment with activated LDAP proxy 'LDAP proxy' checkbox should be selected.
|
||||||
|
When only 'LDAP proxy' checkbox is selected: it activates LDAP proxy for base domain and activates
|
||||||
|
LDAP proxy for additional domains if they have 'ldap_proxy=true' parameter in their configurations.
|
||||||
|
|
||||||
.. image:: images/tls_settings.png
|
.. image:: images/enable_ldap_proxy.png
|
||||||
|
.. image:: images/ldap_proxy_param.png
|
||||||
|
|
||||||
* Specify LDAP user, password and other settings:
|
In this case LDAP proxy configurations for LDAP domains are taken from templates located in the plugin.
|
||||||
|
Configurations from the templates have minimal functionality and they are intended for testing needs.
|
||||||
|
|
||||||
.. image:: images/user_ldap_settings.png
|
To specify custom settings for LDAP proxy 'List of custom LDAP proxy configs' text area should be used.
|
||||||
|
There can be specified base settings for a proxy service: 'includes', loglevel and etc. can be added to a
|
||||||
|
proxy configuration file. For this 'config_for' parameter with 'base_config' value should be specified and
|
||||||
|
after that needed settings should be added.
|
||||||
|
|
||||||
* To use LDAP groups, enter the corresponding values:
|
.. image:: images/proxy_base_config.png
|
||||||
|
|
||||||
.. image:: images/group_ldap_settings.png
|
To specify custom settings for LDAP domain 'config_for' parameter with <domain_name> value should be added
|
||||||
|
and after that custom settings can be specified.
|
||||||
|
|
||||||
|
.. image:: images/proxy_custom_config.png
|
||||||
|
|
||||||
#. Finalize environment configuration and run network verification check.
|
Blocks of custom settings should be separated by empty line.
|
||||||
Once done,
|
|
||||||
`deploy your environment <http://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html#deploy-changes>`_.
|
|
||||||
|
|
||||||
|
#.Continue with environment configuration and deploy it;
|
||||||
|
for instructions, see
|
||||||
|
`Fuel User Guide <http://docs.openstack.org/developer/fuel-docs/mitaka/userdocs/fuel-user-guide.html>`_.
|
||||||
|
|
||||||
|
#. After successful environment deployment log into dashboard in default domain:
|
||||||
|
|
||||||
|
.. image:: images/default_domain.png
|
||||||
|
|
||||||
|
#. Go to Identity -> Domains, select needed domain and 'Set Domain Context' for the domain:
|
||||||
|
|
||||||
|
.. image:: images/domains.png
|
||||||
|
.. image:: images/domain_context.png
|
||||||
|
|
||||||
|
#. Go to Identity -> Projects and select 'Create Project' to create a new project for the domain
|
||||||
|
and add user members to the project:
|
||||||
|
|
||||||
|
.. image:: images/project.png
|
||||||
|
.. image:: images/project_members.png
|
||||||
|
|
|
@ -17,9 +17,8 @@ Requirements
|
||||||
================================== ===============
|
================================== ===============
|
||||||
Requirement Version/Comment
|
Requirement Version/Comment
|
||||||
================================== ===============
|
================================== ===============
|
||||||
Fuel 7.0
|
Fuel 9.0
|
||||||
Pre-configured LDAP server
|
Pre-configured LDAP server
|
||||||
MU (Maintenance Update) 3
|
|
||||||
================================== ===============
|
================================== ===============
|
||||||
|
|
||||||
LDAP server should be pre-deployed and be accessible via Public network
|
LDAP server should be pre-deployed and be accessible via Public network
|
||||||
|
|
|
@ -2,57 +2,8 @@
|
||||||
User Guide
|
User Guide
|
||||||
==========
|
==========
|
||||||
|
|
||||||
|
|
||||||
#. After successfull environment deployment, log into Horizon into the default domain:
|
|
||||||
|
|
||||||
.. image:: images/default_domain.png
|
|
||||||
|
|
||||||
#. Go to Identity -> Domains, select the required domain and select
|
|
||||||
*Set Domain Context* for it:
|
|
||||||
|
|
||||||
.. image:: images/domains.png
|
|
||||||
.. image:: images/domain_context.png
|
|
||||||
|
|
||||||
#. Go to Identity -> Projects and select 'Create Project' to create a new project for the domain
|
|
||||||
and add user members to the project:
|
|
||||||
|
|
||||||
.. image:: images/project.png
|
|
||||||
.. image:: images/project_members.png
|
|
||||||
|
|
||||||
#. After successful deployment, all users from the LDAP directory matching the
|
#. After successful deployment, all users from the LDAP directory matching the
|
||||||
configured filter criteria can authenticate against Keystone. To validate the
|
configured filter criteria can authenticate against Keystone. To validate the
|
||||||
configuration, log into the Horizon dashboard using LDAP credentials:
|
configuration, log into the Horizon dashboard using LDAP credentials:
|
||||||
|
|
||||||
.. image:: images/dashboard.png
|
.. image:: images/dashboard.png
|
||||||
|
|
||||||
#. You can also try to obtain a token to validate authentication:
|
|
||||||
|
|
||||||
.. code-block:: bash
|
|
||||||
|
|
||||||
# curl -i -s -H "Content-Type: application/json" -d '
|
|
||||||
{ "auth": {
|
|
||||||
"identity": {
|
|
||||||
"methods": ["password"],
|
|
||||||
"password": {
|
|
||||||
"user": {
|
|
||||||
"name": "admin",
|
|
||||||
"domain": { "id": "default" },
|
|
||||||
"password": "admin"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"scope": {
|
|
||||||
"project": {
|
|
||||||
"name": "admin",
|
|
||||||
"domain": { "id": "default" }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}' http://<dashboard_ip>:5000/v3/auth/tokens
|
|
||||||
|
|
||||||
HTTP/1.1 201 Created
|
|
||||||
X-Subject-Token: 77a7c2da81f54bb7b46efefa7c7bb5ae
|
|
||||||
Vary: X-Auth-Token
|
|
||||||
Content-Type: application/json
|
|
||||||
Content-Length: 2173
|
|
||||||
|
|
||||||
|
|
After Width: | Height: | Size: 113 KiB |
After Width: | Height: | Size: 63 KiB |
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 90 KiB |
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 90 KiB |
Before Width: | Height: | Size: 38 KiB After Width: | Height: | Size: 169 KiB |
Before Width: | Height: | Size: 48 KiB After Width: | Height: | Size: 193 KiB |
Before Width: | Height: | Size: 127 KiB After Width: | Height: | Size: 90 KiB |
After Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 42 KiB |
Before Width: | Height: | Size: 26 KiB |
Before Width: | Height: | Size: 122 KiB After Width: | Height: | Size: 87 KiB |
After Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 19 KiB |
After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 145 KiB |
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 153 KiB |
After Width: | Height: | Size: 34 KiB |
After Width: | Height: | Size: 36 KiB |
Before Width: | Height: | Size: 100 KiB After Width: | Height: | Size: 66 KiB |
Before Width: | Height: | Size: 123 KiB After Width: | Height: | Size: 133 KiB |
Before Width: | Height: | Size: 63 KiB After Width: | Height: | Size: 72 KiB |
|
@ -9,9 +9,13 @@ Plugin Guide
|
||||||
:maxdepth: 2
|
:maxdepth: 2
|
||||||
|
|
||||||
description
|
description
|
||||||
|
changelog
|
||||||
|
limitations
|
||||||
installation
|
installation
|
||||||
configuration
|
configuration
|
||||||
guide
|
guide
|
||||||
|
verification
|
||||||
|
troubleshooting
|
||||||
appendix
|
appendix
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,27 +13,20 @@ To install LDAP plugin, follow these steps:
|
||||||
|
|
||||||
#. Copy the plugin on an already installed Fuel Master node (SSH can be used for
|
#. Copy the plugin on an already installed Fuel Master node (SSH can be used for
|
||||||
that). If you do not have the Fuel Master node yet, see `Quick Start Guide
|
that). If you do not have the Fuel Master node yet, see `Quick Start Guide
|
||||||
<https://software.mirantis.com/quick-start/>`_:
|
<http://docs.openstack.org/developer/fuel-docs/userdocs/fuel-install-guide/install/install_install_fuel_master_node.html>`_::
|
||||||
|
|
||||||
.. code-block:: bash
|
# scp ldap-3.0-3.0.0-1.noarch.rpm root@<Fuel_Master_IP>:/tmp
|
||||||
|
|
||||||
# scp ldap-1.0-1.0.0-1.noarch.rpm root@<Fuel_Master_IP>:/tmp
|
#. Log into the Fuel Master node. Install the plugin::
|
||||||
|
|
||||||
#. Log into the Fuel Master node. Install the plugin:
|
# cd /tmp
|
||||||
|
# fuel plugins --install ldap-3.0-3.0.0-1.noarch.rpm
|
||||||
.. code-block:: bash
|
|
||||||
|
|
||||||
# cd /tmp
|
|
||||||
# fuel plugins --install ldap-1.0-1.0.0-1.noarch.rpm
|
|
||||||
|
|
||||||
#. Check if the plugin was installed successfully
|
#. Check if the plugin was installed successfully
|
||||||
|
|
||||||
.. code-block:: bash
|
::
|
||||||
|
|
||||||
# fuel plugins
|
# fuel plugins
|
||||||
id | name | version | package_version
|
id | name | version | package_version | releases
|
||||||
---|--------------|----------|----------------
|
---+------+---------+-----------------+--------------------
|
||||||
1 | ldap | 1.0.0 | 2.0.0
|
1 | ldap | 3.0.0 | 3.0.0 | ubuntu (mitaka-9.0)
|
||||||
|
|
||||||
#. MU-3 (Maintenance Update) should be installed to provide proper work of keystone providers
|
|
||||||
with domains during deployment process.
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
LDAP plugin limitations
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
#. LDAP plugin has the following limitations:
|
||||||
|
|
||||||
|
- Installation of LDAP plugin before deployment only;
|
||||||
|
- Fuel will not validate the settings, e.g., by attempting to connect to the LDAP server;
|
||||||
|
- In multidomain configuration the attributes of the first domain are filled in the web form,
|
||||||
|
whereas the attributes of other domains are filled in one field;
|
||||||
|
- The settings of domains determined in “List of additional Domains” field will not be validated;
|
||||||
|
- The settings of proxy determined in "List of custom LDAP proxy configs" field will not be validated;
|
|
@ -5,12 +5,10 @@ Delete all environments, in which the LDAP plugin has been enabled.
|
||||||
|
|
||||||
#. Uninstall the plugin::
|
#. Uninstall the plugin::
|
||||||
|
|
||||||
# fuel plugins --remove ldap==1.0.0
|
# fuel plugins --remove ldap==3.0.0
|
||||||
|
|
||||||
#. Check if the plugin was uninstalled successfully::
|
#. Check if the plugin was uninstalled successfully::
|
||||||
|
|
||||||
# fuel plugins$
|
# fuel plugins
|
||||||
id | name | version | package_version
|
id | name | version | package_version | releases
|
||||||
---|---------------------------|----------|------
|
---+------+---------+-----------------+---------
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
===============
|
||||||
|
Troubleshooting
|
||||||
|
===============
|
||||||
|
|
||||||
|
Checking presence of LDAP domain/users
|
||||||
|
======================================
|
||||||
|
|
||||||
|
To get a list of domains in keystone run the following command on Controller node:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
OS_IDENTITY_API_VERSION=3 openstack domain list
|
||||||
|
|
||||||
|
To get a list of users in a domain run the following command on Controller node:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
OS_IDENTITY_API_VERSION=3 openstack user list --quiet --long --domain <domain_name>
|
||||||
|
|
||||||
|
Checking LDAP server availability
|
||||||
|
=================================
|
||||||
|
|
||||||
|
To check LDAP server availability run the following command on Controller node:
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
ldapsearch -H ldap://<url/ip_address> -x -b dc=<ldap>,dc=<suffix>
|
||||||
|
|
||||||
|
LDAP plugin log files
|
||||||
|
=====================
|
||||||
|
|
||||||
|
As LDAP plugin only updates keystone configuration files to check keystone
|
||||||
|
service, these files keep logs:
|
||||||
|
|
||||||
|
/var/log/apache2/keystone_wsgi_admin_access.log
|
||||||
|
|
||||||
|
/var/log/apache2/keystone_wsgi_admin_error.log
|
||||||
|
|
||||||
|
/var/log/apache2/keystone_wsgi_main_access.log
|
||||||
|
|
||||||
|
/var/log/apache2/keystone_wsgi_main_error.log
|
|
@ -0,0 +1,12 @@
|
||||||
|
LDAP plugin validation
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
#. To validate that LDAP plugin is successfully applied after deployment:
|
||||||
|
|
||||||
|
- Log into Horizon using domain/user credentials from LDAP server;
|
||||||
|
- Create an instance;
|
||||||
|
|
||||||
|
Expecting results:
|
||||||
|
|
||||||
|
- All LDAP users can authenticate via Keystone;
|
||||||
|
- An instance is successfully created;
|