You can configure LDAP authentication or modify your existing LDAP configuration.

VMware Integrated OpenStack supports SQL plus one or more domains as an identity source, up to a maximum of 10 domains.

Important: All LDAP attributes must use ASCII characters only.

Prerequisites

Contact your LDAP administrator or use tools such as ldapsearch or Apache Directory Studio to obtain the correct values for LDAP settings.

Procedure

  1. In the vSphere Client, select Menu > VMware Integrated OpenStack.
  2. Click OpenStack Deployments and open the Manage tab.
  3. On the Settings tab, click Configure Identity Source.
  4. Click the Add (plus sign) icon to configure a new LDAP source or the Edit (pencil) icon to modify an existing configuration.
  5. Enter your LDAP configuration.
    Option Description

    Active Directory domain name

    Specify the full Active Directory domain name.

    Keystone domain name

    Enter the Keystone domain name for the LDAP source.

    Do not use default or local as the Keystone domain.

    Bind user

    Enter the user name to bind to Active Directory for LDAP requests.

    Bind password

    Enter the password to allow the LDAP client access to the LDAP server.

    Domain controllers

    (Optional) Enter the IP addresses of one or more domain controllers, separated with commas (,).

    If you do not specify a domain controller, VMware Integrated OpenStack will automatically choose an existing Active Directory domain controller.

    Site

    (Optional) Enter a specific deployment site within your organization to limit LDAP searching to that site.

    User Tree DN

    (Optional) Enter the search base for users (for example, DC=vmware, DC=com).

    In most Active Directory deployments, the top of the user tree is used by default.

    User Filter

    (Optional) Enter an LDAP search filter for users.

    Important:

    If your directory contains more than 1,000 objects (users and groups), you must apply a filter to ensure that fewer than 1,000 objects are returned.

    For more information about filters, see Search Filter Syntax in the Microsoft documentation.

    Group tree DN

    (Optional) Enter the search base for groups. The LDAP suffix is used by default.

    Group filter

    (Optional) Enter an LDAP search filter for groups.

    LDAP admin user

    Enter an LDAP user to act as an administrator for the domain. If you specify an LDAP admin user, the admin project will be created in the Keystone domain for LDAP, and this user will be assigned the admin role in that project. This user can then log in to Horizon and perform other operations in the Keystone domain for LDAP.

    If you do not specify an LDAP admin user, you must use the OpenStack command-line interface to add a project to the Keystone domain for LDAP and assign the admin role to an LDAP user in that project.
    You can select the Advanced settings check box to display additional LDAP configuration fields.
    Option Description

    Encryption

    Select None, SSL, or StartTLS.

    Hostname

    Enter the hostname of the LDAP server.

    Port

    Enter the port number to use on the LDAP server.

    User objectclass

    (Optional) Enter the LDAP object class for users.

    User ID attribute

    (Optional) Enter the LDAP attribute mapped to the user ID. This value cannot be a multi-valued attribute.

    User name attribute

    (Optional) Enter the LDAP attribute mapped to the user name.

    User mail attribute

    (Optional) Enter the LDAP attribute mapped to the user email.

    User password attribute

    (Optional) Enter the LDAP attribute mapped to the password.

    Group objectclass

    (Optional) Enter the LDAP object class for groups.

    Group ID attribute

    (Optional) Enter the LDAP attribute mapped to the group ID.

    Group name attribute

    (Optional) Enter the LDAP attribute mapped to the group name.

    Group member attribute

    (Optional) Enter the LDAP attribute mapped to the group member name.

    Group description attribute

    (Optional) Enter the LDAP attribute mapped to the group description.

  6. Click Validate to confirm your settings.
  7. Click OK.
  8. If you did not specify an LDAP admin user, configure a project and administrator for the Keystone domain for LDAP.
    1. Log in to the OpenStack Management Server as viouser.
    2. Switch to the root user and load the cloud administrator credentials file. 
      sudo su -
source ~/cloudadmin.rc
    3. Create a project in the Keystone domain for LDAP. 
      openstack project create new-project --domain ldap-domain
    4. Add an LDAP user to the new project. 
      openstack user set ldap-username --domain ldap-domain --project new-project --project-domain ldap-domain
    5. In the Keystone domain for LDAP, assign the admin role to the LDAP user. 
      openstack role add admin --user ldap-username --user-domain ldap-domain --domain ldap-domain
    6. In the new project, assign the admin role to the LDAP user. 
      openstack role add admin --user ldap-username --user-domain ldap-domain --project new-project --project-domain ldap-domain

Results

LDAP authentication is configured on your VMware Integrated OpenStack deployment. You can log in to the VMware Integrated OpenStack dashboard as the LDAP admin user that you specified during configuration.