You can configure LDAP authentication or modify your existing LDAP configuration.

VMware Integrated OpenStack supports SQL plus one or more domains as an identity source, up to a maximum of 10 domains.

Important:

All LDAP attributes must use ASCII characters only.

Prerequisites

Contact your LDAP administrator or use tools such as such as ldapsearch or Apache Directory Studio to obtain the correct values for LDAP settings.

Procedure

  1. In the vSphere Web Client, select Home > VMware Integrated OpenStack > Manage.
  2. Click the Settings tab.
  3. Click Configure Identity Source.

    The panel displays the current configuration.

  4. Click the Add (plus sign) icon to configure a new LDAP source or the Edit (pencil) icon to modify an existing configuration.
  5. Enter your LDAP configuration.

    Option

    Description

    Active Directory domain name

    Specify the full Active Directory domain name.

    Keystone domain name

    Enter the Keystone domain name.

    Do not use default or local as a Keystone domain.

    Bind user

    Enter the user name to bind to Active Directory for LDAP requests.

    Bind password

    Enter the password to allow the LDAP client access to the LDAP server.

    Domain controllers

    (Optional) Enter the IP addresses of one or more domain controllers, separated with commas (,).

    If you do not specify domain controllers, VMware Integrated OpenStack will automatically choose an existing Active Directory domain controller.

    Site

    (Optional) Enter a specific deployment site within your organization to limit LDAP searching to that site.

    User Tree DN

    (Optional) Enter the search base for users (for example, DC=vmware, DC=com).

    In most Active Directory deployments, the top of the user tree is used by default.

    User Filter

    (Optional) Enter an LDAP search filter for users. Check the AD domain setting to filter out users of the same name as the service users in OpenStack such as nova or cinder.

    Important:

    If your directory contains more than 1,000 objects (users and groups), you must apply a filter to ensure that fewer than 1,000 objects are returned. For more information about filters, see https://docs.microsoft.com/en-us/windows/desktop/ADSI/search-filter-syntax.

    Group tree DN

    (Optional) Enter the search base for groups. The LDAP suffix is used by default.

    Group filter

    (Optional) Enter an LDAP search filter for groups.

    LDAP admin user

    If the Keystone identity provider is configured to work with OpenLDAP, enter the LDAP admin user.

    You can select the Advanced settings check box to display additional LDAP configuration fields.

    Option

    Description

    Encryption

    Select None, SSL, or StartTLS.

    Hostname

    Enter the hostname of the LDAP server.

    Port

    Enter the port number to use on the LDAP server.

    User objectclass

    (Optional) Enter the LDAP object class for users.

    User ID attribute

    (Optional) Enter the LDAP attribute mapped to the user ID. This value cannot be a multi-valued attribute.

    User name attribute

    (Optional) Enter the LDAP attribute mapped to the user name.

    User mail attribute

    (Optional) Enter the LDAP attribute mapped to the user email.

    User password attribute

    (Optional) Enter the LDAP attribute mapped to the password.

    Group objectclass

    (Optional) Enter the LDAP object class for groups.

    Group ID attribute

    (Optional) Enter the LDAP attribute mapped to the group ID.

    Group name attribute

    (Optional) Enter the LDAP attribute mapped to the group name.

    Group member attribute

    (Optional) Enter the LDAP attribute mapped to the group member name.

    Group description attribute

    (Optional) Enter the LDAP attribute mapped to the group description.

  6. Click the Validate button to confirm your settings.

    Validation verifies that the admin user exists and that users are available in the user tree DN + filter search.

  7. Click OK.