You can configure LDAP authentication, add new domains, or modify your existing LDAP configuration.

Important: All LDAP attributes must use ASCII characters only.

By default, VMware Integrated OpenStack connects with your LDAP server using SSL on port 636. If this configuration is not appropriate for your environment, specify the correct port and protocol under Advanced settings.

Prerequisites

  • Contact your LDAP administrator to obtain the correct LDAP settings for your environment.
  • If you want to use a new Keystone domain for LDAP users, create the domain in Keystone before proceeding. The domains default, local, and service cannot be used for LDAP.

Procedure

  1. Log in to the Integrated OpenStack Manager web interface as the admin user.
  2. In OpenStack Deployment, click the name of your deployment and open the Manage tab.
  3. On the Settings tab, click Configure Identity Sources.
  4. Click Add to configure a new LDAP source or Edit to modify an existing configuration.
  5. Enter your LDAP configuration.
    Option Description

    Active Directory domain name

    Specify the full Active Directory domain name.

    Keystone domain name

    Enter the Keystone domain name for the LDAP source.

    Note:
    • Do not use default, local, or service as the Keystone domain.
    • The Keystone domain cannot be changed after the LDAP source has been added.
    • You must specify an existing Keystone domain. Create the desired domain before configuring LDAP authentication.

    Bind user

    Enter the user name to bind to Active Directory for LDAP requests.

    Bind password

    Enter the password for the LDAP user.

    Domain controllers

    (Optional) Enter the IP addresses of one or more domain controllers, separated with commas (,).

    If you do not specify a domain controller, VMware Integrated OpenStack will automatically choose an existing Active Directory domain controller.

    Site

    (Optional) Enter a specific deployment site within your organization to limit LDAP searching to that site.

    Query scope

    Select SUB_TREE to query all objects under the base object or ONE_LEVEL to query only the direct children of the base object.

    User Tree DN

    (Optional) Enter the search base for users (for example, DC=example,DC=com).

    User Filter

    (Optional) Enter an LDAP search filter for users.

    Important:

    If your directory contains more than 1,000 objects (users and groups), you must apply a filter to ensure that fewer than 1,000 objects are returned.

    For more information about filters, see Search Filter Syntax in the Microsoft documentation.

    Group tree DN

    (Optional) Enter the search base for groups. The LDAP suffix is used by default.

    Group filter

    (Optional) Enter an LDAP search filter for groups.

    LDAP admin user

    Enter an LDAP user to act as an administrator for the domain. If you specify an LDAP admin user, the admin project will be created in the Keystone domain for LDAP, and this user will be assigned the admin role in that project. This user can then log in to Horizon and perform other operations in the Keystone domain for LDAP.

    If you do not specify an LDAP admin user, you must use the OpenStack command-line interface to add a project to the Keystone domain for LDAP and assign the admin role to an LDAP user in that project.

  6. (Optional) Select the Advanced settings check box to display additional LDAP configuration fields.
    Option Description

    Encryption

    Select None, SSL, or StartTLS.

    Hostname

    Enter the hostname of the LDAP server. Multiple LDAP servers can be supplied to provide high-availability support for a single LDAP backend. To specify multiple LDAP servers, simply separate by commas.

    Port

    Enter the port number to use on the LDAP server.

    User objectclass

    (Optional) Enter the LDAP object class for users. The default value is organizationalPerson.

    User ID attribute

    (Optional) Enter the LDAP attribute mapped to the user ID. This value cannot be a multi-valued attribute. The default value is cn.

    User name attribute

    (Optional) Enter the LDAP attribute mapped to the user name. The default value is userPrincipalName.

    User mail attribute

    (Optional) Enter the LDAP attribute mapped to the user email. The default value is mail.

    User password attribute

    (Optional) Enter the LDAP attribute mapped to the password. The default value is userPassword.

    User enabled bitmask

    Enter the bitmask that determines which bit indicates that a user is enabled. Enter this value as an integer. If a bitmask is not used, enter 0. The default value is 2.

    Group objectclass

    (Optional) Enter the LDAP object class for groups. The default value is group.

    Group ID attribute

    (Optional) Enter the LDAP attribute mapped to the group ID. The default value is cn.

    Group name attribute

    (Optional) Enter the LDAP attribute mapped to the group name. The default value is sAMAccountName.

    Group member attribute

    (Optional) Enter the LDAP attribute mapped to the group member name. The default value is member.

    Group description attribute

    (Optional) Enter the LDAP attribute mapped to the group description. The default value is description.

  7. Click OK.
    VMware Integrated OpenStack validates the specified LDAP configuration.
  8. After validation succeeds, accept the certificate in the CERT column.
  9. Click Configure.
  10. If you did not specify an LDAP admin user, configure a project and administrator for the Keystone domain for LDAP.
    1. Log in to the Integrated OpenStack Manager as the root user and open the toolbox.
      ssh root@mgmt-server-ip
      toolbox
    2. Create a project in the Keystone domain for LDAP.
      openstack project create new-project --domain ldap-domain
    3. In the Keystone domain for LDAP, assign the admin role to the LDAP user.
      openstack role add admin --user ldap-username --user-domain ldap-domain --domain ldap-domain
    4. In the new project, assign the admin role to the LDAP user.
      openstack role add admin --user ldap-username --user-domain ldap-domain --project new-project --project-domain ldap-domain
    5. Multiple LDAP servers can be supplied to url to provide high-availability support for a single LDAP backend. To specify multiple LDAP servers, simply change the url option in the ldap section to a list, separated by commas.
      ldaps/ldap://ldap server1:636/389, ldaps/ldap://ldap backup:636/389

Results

LDAP authentication is configured on your VMware Integrated OpenStack deployment. You can log in to the VMware Integrated OpenStack dashboard as the LDAP admin user that you specified during configuration.

Note: If you need to modify your LDAP configuration, you must use the Integrated OpenStack Manager web interface. Modifying the LDAP configuration over the command line is not supported.