×
Active Directory Integration with OpenStack keystone in Simple Steps
Blog Cloud Computing

Active Directory Integration with OpenStack keystone in Simple Steps

In this blog, we are showing you how to configure active directory integrate keystone.

 

SERVER CONFIGURATION

First of all, we have created 2 VM’s to configure active directory integrate keystone.

  • VM1 – OpenStack controller which will have keystone, dashboard service has been installed.
  • VM2 – Windows 2016 with AD

Note: We are using newton (OpenStack version) for this demo.

PREREQUISITES:
  • Install keystone as well as dashboard services in the controller machine before configuring active directory integrate with keystone.

 

PREPARING WINDOWS AD SERVER

USER AND GROUP CREATION
  • Login into windows 2016 VM and add AD feature in it.

       Note: For testing purpose, we created domain named ad.local

  • Login into windows AD server and open Active Directory users & computers snap-in.
  • Then create a new service account named svc-ldap

      Note: Service account is nothing but a normal user account which is used for a service.

  • Create a new group named grp-openstack

active directory integrate keystone2

 

 

 

 

 

  • Add the svc-ldap user to the grp-openstack group.

active directory integrate keystone3

ADDING CERTIFICATE SNAP-IN
  • To configure active directory integrate with keystone, we need to export LDAP certificate’s public key from the AD domain controller. Go-to run and type MMC.

active directory integrate keystone4

  • Click on File menu and select Add/Remove snap-in

active directory integrate keystone5

  • From the available snap-ins, select certificates and click the Add > button

active directory integrate keystone6

  • It will pop-up new screen, in that select computer account and click next.

active directory integrate keystone7

  • Select local computer and click finish and OK to complete this screen.

active directory integrate keystone8

  • Now the certificates snap-in has been added in MMC console.

active directory integrate keystone9

EXPORTING THE CERTIFICATE
  • Expand the personal – certificates folder.

active directory integrate keystone

  • Now you will find the server certificate in FQDN name. Double-click on the certificate and select details tab. Scroll the below fields and click on Enhanced Key Usage and make sure that it has server authentication Click OK to close the window.

active directory integrate keystone

  • Right click on the certificate and go to All tasks – and click on Export option

active directory integrate keystone

  • It brings the export wizard welcome screen, click next.

 

  • Select No, do not export the private key option and click next.

active directory integrate keystone

  • Select the format as DER encoded binary X.509 and click next.

active directory integrate keystone

  • Specify a filename to for this certificate and click next.

active directory integrate keystone

  • Click Finish to complete the export process.

active directory integrate keystone

  • Copy the exported server certificate to controller machine root path using winscp tool.

active directory integrate keystone

We have completed the configuration part from windows end.

 

CONTROLLER CONFIGURATION FOR ACTIVE DIRECTORY INTEGRATE KEYSTONE

IMPORTING THE AD CERTIFICATES
  • Login into the OpenStack controller VM and go to the folder where windows server certificate was copied and execute the below command.

active directory integrate keystone

This command will convert CER format to PEM.

Note: Command will end without any output.

  • Install the .pem on the controller VM. Execute the below commands.active directory integrate keystone

Note: Command will end without any output.

  • Convert  .pem to .crt and copy to the certificate directory.active directory integrate keystone

 

CONFIGURE ENVIRONMENT VARIABLE
  • We have already created an environment variable source while installing keystone service. Here we are using the environment variable source file is admin-openrc. Create a copy as overcloudrc-v3active directory integrate keystone
  • Edit the new overcloudrc-v3 file and add the entries as specified below.

active directory integrate keystone

  • Save the file and execute the below command to source the file.

active directory integrate keystone

 

CONFIGURING KEYSTONE SERVICE
  • Once you have setup the environment variable, execute the below command to configure SELinux.

active directory integrate keystone

  • Now create domains directory and change the ownership of the folder.

active directory integrate keystone

  • Execute the below commands to configure the identity service for multiple back-ends.

active directory integrate keystone

Note: While executing above commands if you receive the error that “OpenStack-config: command not found” try to install OpenStack-utils through YUM.

  • Then open /etc/openstack-dashboard/local_settings file and make sure the below lines are uncomment.

OPENSTACK_API_VERSIONS = {

“identity”: 3

}

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = ‘Default’

active directory integrate keystone

  • Restart the keystone and dashboard services to apply the changes.

active directory integrate keystone

  • Retrieve the NetBIOS name of your AD DS domain

active directory integrate keystone

  • Create a new domain in OpenStack using below command.

active directory integrate keystone

Note: If this command is not executing properly, make sure that you have loaded keystone environment variable file (overcloudrc-v3) was loaded properly before executing it. The command to load the file is source overcloudrc-v3

UPDATING CONF FILE TO MAKE ACTIVE DIRECTORY INTEGRATE KEYSTONE
  • To configure active directory integrate keystone, Create a new LDAP settings configuration file in the name of domain name AD. Execute the below command to create a new conf file.

active directory integrate keystone

  • Paste the below configuration details in that CONF file.

[ldap]

url                      = ldaps://win.ad.local:636

user                     = CN=svc-ldap,CN=Users,DC=ad,DC=local

password                 = test@123

suffix                   = DC=ad,DC=local

user_tree_dn             = CN=Users,DC=ad,DC=local

user_objectclass         = person

user_filter              = (memberOf=cn=grp-openstack,CN=Users,DC=ad,DC=local)

user_id_attribute        = sAMAccountName

user_name_attribute      = sAMAccountName

user_mail_attribute      = mail

user_pass_attribute      =

user_enabled_attribute   = userAccountControl

user_enabled_mask        = 2

user_enabled_default     = 512

user_attribute_ignore    = password,tenant_id,tenants

user_allow_create        = False

user_allow_update        = False

user_allow_delete        = False

use_tls                  = False

tls_cacertfile           = /etc/ssl/certs/win.ad.local.crt

query_scope              = sub

chase_referrals          = false

[identity]

driver                   = keystone.identity.backends.ldap.Identity

active directory integrate keystone

  • Change ownership of the configuration file to the keystone user

active directory integrate keystone

  • Get the ID of the AD domain

active directory integrate keystone

  • Get the ID of admin role

active directory integrate keystone

  • Using the above domain ID’s we need to provide the admin permission for AD domain. Execute the below command as per the below syntax.openstack role add –domain <domain ID> –user <admin user ID> <openstack admin role ID>

active directory integrate keystone

  • Restart the HTTPD service to apply the changes.

active directory integrate keystone

  • Now, everything is set!!! J If all the configuration is correct, we will able to list the add users from OpenStack using below command.

active directory integrate keystone

Note: Make sure that you have added the AD server entry in the /etc/host file.

active directory integrate keystone

ADDING AD USERS TO ACCESS OPENSTACK RESOURCES
  • Login into OpenStack controller machine, and retrieve the AD user list.

active directory integrate keystone

  • Now retrieve the openstack role list.

active directory integrate keystone

  • Grant the user for admin access, use the below syntax.openstack role add –project <project name> –user <user ID> <openstack role>

active directory integrate keystone

In this demo, we have provided the admin permission for the user admin to demo project.

  • Now, we will check the whether we can able to login into OpenStack using AD user amal.

active directory integrate keystone

  • We are able login into dashboard with AD user successfully.

active directory integrate keystone

 

 

3 thoughts on “Active Directory Integration with OpenStack keystone in Simple Steps”

  1. I am facing few issues while doing the integration with openstack ocata release…..getting authorization error after the integration. Could you please help in solving this ?

  2. Thanks for reading this blog. We tried the AD integration in newton flavour and its worked fine. Have you followed all the steps which we showed on the blog?

  3. after selecting computer account while generating the certificate in MMC console , I;m not getting certificate folder under personal folder????

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.