Keystone integration with Microsoft Active Directory

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Hi,

Can anybody please help me on this?

Regards,
Raju.

Hi Raj,

the baseline LDAP implementation is currently against OpenLDAP and defines specific strutures to be used with it. There are blueprints (meaning planning stages of future work), but no concrete implementations at this time that have Keystone working with LDAP through an Active Directory installation.

That said, we expect this to be a common use case, and a number of us are rallying around the development needed to implement exactly this kind of feature. I would like to encourage you to look at http://wiki.openstack.org/KeystoneUseCases and see if some of the user stories there match what you're looking for. That is the current thinking about the problem set we are going to be focusing on solving in e near future (early folsom timeframe)

- joe

Hi Joseph,

Thanks a lot for the information.

Regards,
Raju.

Raj,

I have a setup in essex where I use Microsoft active directory for authentication but still use a local DB for users/tenants.

Basically I have a daemon in python which creates users and tenants based on AD groups (so basically adding a user to an AD group will create this user automatically in keystone, creates the tenant (AD group) and give the user some roles in the corresponding tenant). I then hijack the sql backend to do LDAP authentication so the user uses his Windows password to login horizon (easy).

This is something we already do in other apps here so I was asked to do the same thing with openstack

it is not a full LDAP backend for keystone it is more of a hybrid form where only authentication is LDAP-based, the local keystone DB is still used for users, email, roles, tenants, etc. (although an outside program synchronizes this local DB with information from LDAP)

I don't know if this is a use case that would be popular, I think it would be hard to use an existing Windows AD as a complete LDAP backend in a big corporation (security reasons among others), it was relatively simple to implement what I just described.

cheers

Boris

Hi Boris,

Thank you very much for your reply.

I also did similar to this. The sqlite or MySQL DB created by keystone will be as it is. The workflow is as follows:

1. User enters his username and password through Horizon.
2. If the user doesn't exists in the MS AD, I am throwing an exception. [I need to handle this nicely with a message]
3. If the user exists in the MS AD, I am adding that user in Keystone DB with the same credentials.
4. Remaining tables like Tenants, Credentials, Services including Users table exists as it is in Sqlite or MySQL.

I am also trying to add a particular user for more than one tenant. Ex: Administrator should have full access to all tenants[projects].

Thanks for your detailed description of workflow. I will try to integrate my work in to a plug-in and will update you if I come across any difficulties.

Thanks and Regards,
Raju.

For reference, As part of the work to integrate CERN's AD into OpenStack, we are working on the following 5 bugs

https://bugs.launchpad.net/keystone/+bug/1050398
https://bugs.launchpad.net/keystone/+bug/1050400
https://bugs.launchpad.net/keystone/+bug/1050401
https://bugs.launchpad.net/keystone/+bug/1050402
https://bugs.launchpad.net/keystone/+bug/1050406