Categories

ID #1273

How can I integrate Bright OpenStack 7.1 Keysan class="highlight">toan>ne with LDAP/AD?

 

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">How can I integrate Keysan class="highlight">toan>ne with LDAP?

Here it is assumed that OpenStack was set up by Bright Cluster Manager 7.1 and is up and running.

an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The following steps describe the procedure needed an class="highlight">toan> configure Keysan class="highlight">toan>ne an class="highlight">toan> use LDAP as a backend for user authentication, instead of MySQL.

an>

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The OpenLDAP that Bright Cluster Manager provides is used here, but the instructions can be made an class="highlight">toan> work with any other standard LDAP server.an>


an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The end result is a Keysan class="highlight">toan>ne deployment which authenticates users against LDAP. But it still uses its local MySQL database for authorization, san class="highlight">toan>ring info on roles, projects, assignments, etc.an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">---an>

 

Credentials Retrieval From Keysan class="highlight">toan>ne

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">First, disable the CMDaemon integration with OpenStack with the following commands using an style="font-family: courier new,courier;">cmshan> on the head node:an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack use default; set enabled 0; commit'an>

able>

 

 

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">Next, get the currently configured usernames/passwords for OpenStack service. Since we want keysan class="highlight">toan>ne an class="highlight">toan> authenticate against LDAP, this will also include authentication of OpenStack services. an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The an style="font-family: courier new,courier;">cmshan> shell running on the head node can retrieve these pairs as follows:an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get cinderusername; get cinderpassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get keysan class="highlight">toan>neusername; get keysan class="highlight">toan>nepassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get cmdaemonopenstackusername; get cmdaemonopenstackpassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get glanceusername; get glancepassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get heatusername; get heatpassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get neutronusername; get neutronpassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get novausername; get novapassword'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; get userec2username; get userec2password'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ echo admin && cmsh -c 'openstack settingscredentials; get mainadminpassword'an>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">
User creation
an>

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">Next step is an class="highlight">toan> create OpenStack System users in LDAP using the credentials from the previous step. The users can be created by hand using an style="font-family: courier new,courier;">cmguian> or an style="font-family: courier new,courier;">cmshan> (Chapter 6  - User Management, Bright Cluster Manager administration manual. <a href="/faq/index.php?action=artikel&lang=en&cat=24&id=273&artlang=en#adminmanual70">[1]a>).an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">By default you will want an class="highlight">toan> recreate all of the OpenStack system users in LDAP in the same way they were before you started the process (users nova, glance, keysan class="highlight">toan>ne, etc.). However, in principle it is also possible an class="highlight">toan> create just one (shared) user for all the services (eg. an style="font-family: courier new,courier;">cmdan>) and the a separate admin user. This is handy in case of name conflicts in LDAP (e.g. a user 'nova' already existing), or if for some reason administraan class="highlight">toan>r wants an class="highlight">toan> limit the number of additional accounts in LDAP.  If that's what you will want an class="highlight">toan> do, after determining the new username(s) for OpenStack services, and after creating those accounts in LDAP, you will have an class="highlight">toan> upated the an>an style="color: #000000; font-family: Arial; font-size: 14.666666666666666px; line-height: 1.38;">credentials for them services in CMDaemon. This can be done with an>an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">an style="font-family: courier new,courier;">cmguian> in the Openstack menu’ -> Settings -> Credentials settings, or it can be done with an style="font-family: courier new,courier;">cmshan> as follows:an>

 

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set cinderusername <USER>; set cinderpassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set keysan class="highlight">toan>neusername <USER>; set keysan class="highlight">toan>nepassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set cmdaemonopenstackusername <USER>; set cmdaemonopenstackpassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set glanceusername <USER>; set glancepassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set heatusername <USER>; set heatpassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set neutronusername <USER>; set neutronpassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set novausername <USER>; set novapassword <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set userec2username <USER>; set userec2password <PASSWORD>; commit'an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack settingscredentials; set mainadminpassword <PASSWORD>; commit'an>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">OpenStack services can then be enabled again with the following command:an>

 

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack use default; set enabled 1; commit'an>

able>

 
Modifying Keysan class="highlight">toan>ne an class="highlight">Toan> Use LDAP

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The Keysan class="highlight">toan>ne configuration must now be modified an class="highlight">toan> use the LDAP driver for the identity backend, and the MySQL driver for the Assignment backend.an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The password, the searchdn and the readonlyuser are extracted with the following command from the headnode, because they are going an class="highlight">toan> be needed soon:an>

 

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cat /cm/local/apps/cmd/etc/cmd.conf | grep -E 'LDAPReadOnlyUser|LDAPReadOnlyPass|LDAPSearchDN'an>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The file 'an style="font-family: courier new,courier;">/etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.confan>' is modified in the an style="font-family: courier new,courier;">ldapan> section, using the an style="font-family: courier new,courier;">crudinian> command for Keysan class="highlight">toan>ne<a href="/faq/index.php?action=artikel&lang=en&cat=24&id=273&artlang=en#configuringkeystoneforldapRH">[2]a>. This should also be done on any Keysan class="highlight">toan>ne server running on the passive:an>

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">
an>

 

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap url ldap://masteran>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user cn=readonlyroot,dc=cm,dc=clusteran>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap password <PASSWORD>an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap suffix dc=cm,dc=clusteran>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap use_dumb_member falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap allow_subtree_delete falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_tree_dn dc=cm,dc=clusteran>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_objectclass inean class="highlight">tOan>rgPersonan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_id_attribute entryUUIDan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_name_attribute uidan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_mail_attribute mailan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_pass_attribute userPasswordan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_id_attribute entryUUIDan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_allow_create falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_allow_update falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap user_allow_delete falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_tree_dn ou=Group,dc=cm,dc=clusteran>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_objectclass posixGroupan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_id_attribute entryUUIDan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_name_attribute cnan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_allow_create falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_allow_update falsean>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf ldap group_allow_delete falsean>

able>

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">For other LDAP servers the key/value pairs may differ. Two important keys are an style="font-family: courier new,courier;">user_id_attributean> and an style="font-family: courier new,courier;">group_id_attributean> -- they must be mapped an class="highlight">toan> unique values.an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">In the identity section of keysan class="highlight">toan>ne.conf, the LDAP backend driver must be set with an style="font-family: courier new,courier;">crudinian> or an style="font-family: courier new,courier;">cmshan> commands:an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf identity driver keysan class="highlight">toan>ne.identity.backends.ldap.Identityan>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">In the assignment section of an style="font-family: courier new,courier;">keysan class="highlight">toan>ne.confan>, the SQL backend driver must be set with the an style="font-family: courier new,courier;">crudinian> or an style="font-family: courier new,courier;">cmshan> commands:an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ crudini --set /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf assignment driver keysan class="highlight">toan>ne.assignment.backends.sql.Assignmentan>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">Keysan class="highlight">toan>ne must then be restarted on the head node:an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ service openstack-keysan class="highlight">toan>ne restartan>

able>

 
Getting A an class="highlight">Toan>ken For The Admin User, And Assigning Roles

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The an class="highlight">toan>ken for the admin user is set using the following commands. The an class="highlight">toan>ken is needed for the next step. Wait some seconds before running the an style="font-family: courier new,courier;">grepan> command:an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ cmsh -c 'openstack; settingscredentials; set adminan class="highlight">toan>ken ´openssl rand -hex 10´; commit'
an>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ grep admin_an class="highlight">toan>ken= /etc/keysan class="highlight">toan>ne/keysan class="highlight">toan>ne.conf | grep -vE '^#' an>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The role is assigned an class="highlight">toan> the admin and services users as follows (Replace an style="font-family: courier new,courier;"><an class="highlight">TOan>KEN>an> with the an class="highlight">toan>ken that was just grepped):an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user admin  --project bright adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cmdaemon  --project bright adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user glance --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user glance --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user keysan class="highlight">toan>ne --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user keysan class="highlight">toan>ne --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user nova --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user nova --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user neutron --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user neutron --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user admin --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user admin --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cinder --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cinder --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user heat --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user heat --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cmdaemon --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cmdaemon --project service memberan>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">If there is a single user for all the services then run the following command instead (Replace an style="font-family: courier new,courier;"><an class="highlight">TOan>KEN>an> with the grepped an class="highlight">toan>ken from earlier):an>

able style="border: none; border-collapse: collapse; width: 624px;">

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user admin --project bright adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cmdaemon --project bright adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cmdaemon --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user cmdaemon --project service memberan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user admin --project service adminan>

an style="font-size: 12px; font-family: 'Courier New'; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">$ openstack --os-an class="highlight">toan>ken <an class="highlight">TOan>KEN> --os-url http://master:5000/v3 role add --user admin --project service memberan>

able>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">The configuration is now complete. It is now possible an class="highlight">toan> login with the admin user on the OpenStack dashboard, and assign a role an class="highlight">toan> a user created by Bright Cluster Manager in the OpenLDAP.
an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;">That is: It is now possible an class="highlight">toan>, for example, create a user in LDAP/AD, and then immediately log in as that user an class="highlight">toan> Keysan class="highlight">toan>ne.an>

 

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;"><a name="adminmanual70">a>[1]an><a style="text-decoration: none;" href="http://support.brightcomputing.com/manuals/7.0/admin-manual.pdf">an style="font-size: 14.666666666666666px; font-family: Arial; color: #1155cc; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: underline; vertical-align: baseline;">http://support.brightcomputing.com/manuals/7.0/admin-manual.pdfan>a>

an style="font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;"><a name="configuringkeystoneforldapRH">a>[2]an><a style="text-decoration: none;" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/configuring-keystone-for-ldap-backend.html">an style="font-size: 14.666666666666666px; font-family: Arial; color: #1155cc; background-color: transparent; font-weight: normal; font-style: normal; font-variant: normal; text-decoration: underline; vertical-align: baseline;">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administraan class="highlight">toan>r_Guide/configuring-keysan class="highlight">toan>ne-for-ldap-backend.htmlan>a>

Tags: keystone, LDAP

Related entries:

You cannot comment on this entry