Active Directory Integration with OpenStack keystone in Simple Steps

Blog, Cloud Computing

In this blog, we are showing you how to configure active directory integrate keystone.

SERVER CONFIGURATION

First of all, we have created 2 VM’s to configure active directory integrate keystone.

VM1 – OpenStack controller which will have keystone, dashboard service has been installed.

VM2 – Windows 2016 with AD

Note: We are using newton (OpenStack version) for this demo.

PREREQUISITES:

Install keystone as well as dashboard services in the controller machine before configuring active directory integrate with keystone.

PREPARING WINDOWS AD SERVER

USER AND GROUP CREATION

Note: For testing purpose, we created domain named ad.local

Then create a new service account named svc-ldap

Note: Service account is nothing but a normal user account which is used for a service.

Create a new group named grp-openstack

Add the svc-ldap user to the grp-openstack group.

ADDING CERTIFICATE SNAP-IN

To configure active directory integrate with keystone, we need to export LDAP certificate’s public key from the AD domain controller. Go-to run and type MMC.

Click on File menu and select Add/Remove snap-in

From the available snap-ins, select certificates and click the Add > button

It will pop-up new screen, in that select computer account and click next.

Select local computer and click finish and OK to complete this screen.

Now the certificates snap-in has been added in MMC console.

EXPORTING THE CERTIFICATE

Expand the personal – certificates folder.

Now you will find the server certificate in FQDN name. Double-click on the certificate and select details tab. Scroll the below fields and click on Enhanced Key Usage and make sure that it has server authentication Click OK to close the window.

Right click on the certificate and go to All tasks – and click on Export option

It brings the export wizard welcome screen, click next.

Select No, do not export the private key option and click next.

Select the format as DER encoded binary X.509 and click next.

Specify a filename to for this certificate and click next.

Click Finish to complete the export process.

Copy the exported server certificate to controller machine root path using winscp tool.

We have completed the configuration part from windows end.

CONTROLLER CONFIGURATION FOR ACTIVE DIRECTORY INTEGRATE KEYSTONE

IMPORTING THE AD CERTIFICATES

Login into the OpenStack controller VM and go to the folder where windows server certificate was copied and execute the below command.

This command will convert CER format to PEM.

Note: Command will end without any output.

Install the .pem on the controller VM. Execute the below commands.

Note: Command will end without any output.

Convert .pem to .crt and copy to the certificate directory.

CONFIGURE ENVIRONMENT VARIABLE

We have already created an environment variable source while installing keystone service. Here we are using the environment variable source file is admin-openrc. Create a copy as overcloudrc-v3

Edit the new overcloudrc-v3 file and add the entries as specified below.

Save the file and execute the below command to source the file.

CONFIGURING KEYSTONE SERVICE

Once you have setup the environment variable, execute the below command to configure SELinux.

Now create domains directory and change the ownership of the folder.

Execute the below commands to configure the identity service for multiple back-ends.

Note: While executing above commands if you receive the error that “OpenStack-config: command not found” try to install OpenStack-utils through YUM.

Then open /etc/openstack-dashboard/local_settings file and make sure the below lines are uncomment.

OPENSTACK_API_VERSIONS = {

“identity”: 3

}

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = ‘Default’

Restart the keystone and dashboard services to apply the changes.

Retrieve the NetBIOS name of your AD DS domain

Create a new domain in OpenStack using below command.

Note: If this command is not executing properly, make sure that you have loaded keystone environment variable file (overcloudrc-v3) was loaded properly before executing it. The command to load the file is source overcloudrc-v3

UPDATING CONF FILE TO MAKE ACTIVE DIRECTORY INTEGRATE KEYSTONE

To configure active directory integrate keystone, Create a new LDAP settings configuration file in the name of domain name AD. Execute the below command to create a new conf file.

Paste the below configuration details in that CONF file.

driver  [ldap]

url                      = ldaps://win.ad.local:636

user                     = CN=svc-ldap,CN=Users,DC=ad,DC=local

password                 = test@123

suffix                   = DC=ad,DC=local

user_tree_dn             = CN=Users,DC=ad,DC=local

user_objectclass         = person

user_filter              = (memberOf=cn=grp-openstack,CN=Users,DC=ad,DC=local)

user_id_attribute        = sAMAccountName

user_name_attribute      = sAMAccountName

user_mail_attribute      = mail

user_pass_attribute      =

user_enabled_attribute   = userAccountControl

user_enabled_mask        = 2

user_enabled_default     = 512

user_attribute_ignore    = password,tenant_id,tenants

user_allow_create        = False

user_allow_update        = False

user_allow_delete        = False

use_tls                  = False

tls_cacertfile           = /etc/ssl/certs/win.ad.local.crt

query_scope              = sub

chase_referrals          = false

[identity]

driver                   = keystone.identity.backends.ldap.Identity

Change ownership of the configuration file to the keystone user

Get the ID of the AD domain

Get the ID of admin role

Using the above domain ID’s we need to provide the admin permission for AD domain. Execute the below command as per the below syntax.openstack role add –domain <domain ID> –user <admin user ID> <openstack admin role ID>