LDAP integration with SmartCloud Orchestrator v2.3 Davide Cosentino/Italy/IBM July 2014
by user
Comments
Transcript
LDAP integration with SmartCloud Orchestrator v2.3 Davide Cosentino/Italy/IBM July 2014
LDAP integration with SmartCloud Orchestrator v2.3 Davide Cosentino/Italy/IBM July 2014 © 2014 IBM Corporation SCO-LDAP integration in short Single domain vs. multiple domains Single domain implementation Multiple domains implementation Troubleshooting Known limitations References Free questions 2 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation LDAP integration in short 3 Designed to enable LDAP users to become accounts of SCO. Authentication of the users (i.e. “who can login”) is performed on the LDAP server side. Authorization (i.e. “what they can do when they have logged in”) is retained in SCO. Allows auto-population at first login (i.e. the LDAP user is created automatically in Keystone just after the first SCO login) Works with most common LDAP Servers (e.g. Microsoft Active Directory or MSAD, OpenLDAP, Tivoli Directory Server or TDS) Easy and quick to implement IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain vs multiple domains Single domain: all the users from the single LDAP server get registered into one single SCO domain (for example: the Default domain). Useful for not too complex users' hierarchy. Multiple domains: LDAP users can be registered into different SCO domains based on administrative considerations – In this case, domains must be manually predefined in SCO – Options: • With single LDAP server and complex hierarchy of users, the groups of users can be mapped into separate domains • With multiple LDAP servers, each of them is mapped into a separate domain 4 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (1) The Keystone configuration file /etc/keystone/keystone.conf (located in the Central Server 2 of the SCO topology) needs to be edited as follows (LDAP server ip address, dn, etc. are just examples): Administrative account to browse the LDAP server, if anonymous query is not available [ldap_pre_auth] url = ldap://10.10.0.254 user_tree_dn = cn=users,dc=ldap,dc=com user_name_attribute = cn user = cn=administrator,cn=users,dc=ldap,dc=com password = pass00wd [root]# keystone user-list +-------------------------------+---------+-user_id_attribute = dn | id | name | en [auto_population] default_project = admin default_role = Member 5 At login, LDAP users will be registered into the “admin” project with “Member” role +-------------------------------+---------+--|CN=x2,CN=Users,DC=ldap,DC=com |CN=x3,CN=Users,DC=ldap,DC=com |CN=x5,CN=Users,DC=ldap,DC=com |CN=x6,CN=Users,DC=ldap,DC=com | | | | x2 x3 x5 x6 | Tr | Tr | Tr | Tr IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (2) ldap_pre_auth section --- more details With openldap configured, you can point to your secure LDAP server by specifying 'url = ldaps://....' NOTICE: The SCO administrator account admin will already exist in the local OpenStack database. Care must be taken to make sure there is not an LDAP account that also has the name admin, otherwise this will now supersede the local admin account. Can use others, like “mail”, “sAMAccountName” etc Notice “mail” should be combined with user_mail_attribute = mail 6 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (3) To the Keystone configuration file /etc/keystone/keystone.conf also add the following sections (the added stuff is in blue). The filters filter:ldapauth and filter:autopop are needed to enable authentication to LDAP and autopopulation capabilities: [filter:ldapauth] paste.filter_factory = keystone.middleware.ldapauth:LdapAuthAuthentication.factory [filter:autopop] paste.filter_factory = keystone.middleware.autopop:AutoPopulation.factory [pipeline:api_v3] pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body simpletoken ldapauth autopop debug stats_reporting ec2_extension s3_extension service_v3 7 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (4) Once the keystone configuration file has been modified, Keystone needs to be restarted. Restart Keystone every time you need to make a change to keystone.conf effective. Don't forget to make a backup copy of the last good working configuration file before changing it: [root]# service openstack-keystone restart Stopping keystone: [ OK ] Starting keystone: [ OK ] NOTICE. All of the above details (and more) can be found at the following infocenter page: <<Configuring LDAP authentication independently of the domain>> http://www01.ibm.com/support/knowledgecenter/SS4KMC_2.3.0/com.ibm.sco.doc_2.3/c_conf_ LDAP_all.html?lang=en 8 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (5) To demonstrate the auto-population feature, list the Keystone users before any LDAP user has attempted a SCO login [root]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | c26d805cc48343d688de827384768a70 | admin | True | | | 86440f8885464c90b2c98904f2882abb | cinder | True | | | b751f402ff864d53afda29ccef381b40 | glance | True | | | 3f0a56f372ec480da3406f9146147df6 | nova | True | 9 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (6) Suppose now you have an LDAP user named x1. Log into SCO with x1 username and password. User x1 gets created into Keystone automatically: [root]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | c26d805cc48343d688de827384768a70 | admin | True | | | 86440f8885464c90b2c98904f2882abb | cinder | True | | | b751f402ff864d53afda29ccef381b40 | glance | True | | | 3f0a56f372ec480da3406f9146147df6 | nova | True | | | CN=x1,CN=Users,DC=ldap,DC=com | x1 | True | | +----------------------------------+--------+---------+-------+ 10 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Single domain – How to implement (7) SCO UI – final view of the user x1 11 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (1) Suppose we just want to register users into two different domains, namely Test1 and Test2. We will create those two domains in SCO and, in them, we will create projects (aka “tenants”) e.g. proj1 and proj2 (which will be the projects where LDAP users will be registered by default, based on the domain they belong to). 12 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (2) Under /etc/keystone create a directory named (e.g.) “domains” /etc/keystone/domains in that, create 2 configuration text files named respectively: [root]# pwd /etc/keystone/domains [root]# ll total 0 -rw-r--r-- 1 root root 0 Jul 22 11:33 keystone.Test1.conf -rw-r--r-- 1 root root 0 Jul 22 11:33 keystone.Test2.conf NOTICE. You can choose any other name for the mentioned subdir and you can also choose to put domain-specific files in the very same place as the main config file (i.e. /etc/keystone) 13 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (3) Edit the files to add the ldap_pre_auth and auto_population sections and point to the relevant project. For example for Test1 (same will be for Test2, replacing proj1 with proj2): [root]# cat keystone.Test1.conf [ldap_pre_auth] url = ldap://10.10.0.254 user_tree_dn = cn=users,dc=ldap,dc=com user_name_attribute = cn user = cn=administrator,cn=users,dc=ldap,dc=com password = pass00wd user_id_attribute = dn [auto_population] default_project = proj1 default_role = Member 14 LDAP users logging into domain Test1 will be assigned to project proj1 with Member role IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (4) The file /etc/keystone/keystone.conf will need to contain a “pointer” to the domains subdir: [ldap_pre_auth] domain_specific_drivers_enabled = True domain_config_dir = /etc/keystone/domains/ 15 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (5) As usual, restart Keystone to make changes effective: [root]# service openstack-keystone restart Stopping keystone: [ OK ] Starting keystone: [ OK ] NOTICE. All of the above details (and more) can be found at the infocenter page: <<Configuring LDAP authentication on a domain-by-domain basis>> http://www01.ibm.com/support/knowledgecenter/SS4KMC_2.3.0/com.ibm.sco.doc_2.3/c_conf_LDA P_domain.html?lang=en 16 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (6) Suppose now you have an LDAP user named x2 that you wish to register into domain Test1. Log into SCO with x2 username and password, using Test1 as domain. User x2 gets created into Keystone automatically, with project = proj1: [root]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | c26d805cc48343d688de827384768a70 | admin | True | | | 86440f8885464c90b2c98904f2882abb | cinder | True | | | b751f402ff864d53afda29ccef381b40 | glance | True | | | 3f0a56f372ec480da3406f9146147df6 | nova | True | | | CN=x2,CN=Users,DC=ldap,DC=com | x2 | True | | 17 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Multiple domains – How to implement (7) Suppose the same for another LDAP user named x3. This time domain will be Test2 and project = proj2: [root]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | c26d805cc48343d688de827384768a70 | admin | True | | | 86440f8885464c90b2c98904f2882abb | cinder | True | | | b751f402ff864d53afda29ccef381b40 | glance | True | | | 3f0a56f372ec480da3406f9146147df6 | nova | True | | | CN=x2,CN=Users,DC=ldap,DC=com | x2 | True | | | CN=x3,CN=Users,DC=ldap,DC=com | x3 | True | | +----------------------------------+--------+---------+-------+ 18 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Troubleshooting (1) The keystone.conf file contains a pointer to the Keystone log configuration file: # Show more verbose log output (sets INFO log level output) verbose = true # Show debugging output in logs (sets DEBUG log level output) debug = true log_config = /etc/keystone/logging.conf And logging.conf on its turn: [handler_file] class=logging.handlers.WatchedFileHandler level=WARNING formatter=normal_with_name args=('/var/log/keystone/keystone.log', 'w') 19 So the log file to collect is finally: /var/log/keystone/keystone.log IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Troubleshooting (2) OpenLDAP client tools can be useful to troubleshoot several types of issue. These tools are especially aimed at understanding if an issue is related to SCO or if it's a problem in the LDAP server. On a Linux box (e.g. The Keystone node) they can be installed in this way: yum install openldap-clients Especially handy are ldapsearch and ldapwhoami NOTICE. You can use the OpenLDAP client tools with any LDAP server (e.g. with MSAD) 20 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Troubleshooting (3) - ldapsearch This tool helps with issues related to the LDAP queries which are performed in the context of the LDAP-SCO integration. For example, if the section of the keystone.conf is the following: [ldap_pre_auth] url = ldap://10.10.0.254 user_tree_dn = cn=users,dc=ldap,dc=com user = cn=administrator,cn=users,dc=ldap,dc=com password = pass00wd You can troubleshoot those parameters as follows: ldapsearch -H ldap://10.10.0.254 -b cn=users,dc=ldap,dc=com -D cn=administrator,cn=users,dc=ldap,dc=com -w pass00wd and determine if the issue is in SCO or is in the LDAP server (e.g. “user not found” case … is the user missing in the LDAP server? Or it's just SCO which cannot find it?) 21 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Troubleshooting (4) - ldapwhoami This tool helps with issues related to a specific user which cannot login into SCO (“invalid credentials” use case). For example, suppose you cannot login as user x4. The following would show that the issue is on the LDAP server: [root]# ldapwhoami -n -v -D cn=x4,cn=users,dc=ldap,dc=com -H ldap://10.10.0.254 -w Passw0rd ldap_initialize( ldap://10.10.0.254:389/??base ) ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 And vice versa ... suppose you cannot login with user x5. The following would show that the problem is in SCO. In this case the keystone.log would become the main help for troubleshooting: [root@sco-vmw-41-fb keystone]# ldapwhoami -v -n -D cn=x5,cn=users,dc=ldap,dc=com -H ldap://10.10.0.254 -w Passw0rd ldap_initialize( ldap://10.10.0.254:389/??base ) Result: Success (0) 22 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Known limitations (1) The auto-population capability is not a replacement for a full directory synchronization capability. While the plug-in will create a user-record the first time a user authenticates, it will not, for example, delete that user record in keystone if the LDAP user record is subsequently deleted. Such a user would indeed no longer be able to log in to SmartCloud Orchestrator, but the database cleanup is outside of the scope of the auto-population capability. If such a full capability is required, then the use of an external directory synchronization tool is recommended (for example: Tivoli Directory Integrator). For details refer to Using external Directory Integration tools with LDAP authentication: http://www01.ibm.com/support/knowledgecenter/SS4KMC_2.3.0/com.ibm. sco.doc_2.3/c_conf_LDAP_external.html?lang=en 23 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Known limitations (2) Referring to the default_role parameter of the [auto_population] section of the keystone.conf (or keystone.<domain>.conf) file, the role assigned here only affects the assignments held within SCO and Keystone. They do not modify anything that is actually stored in LDAP. The plug-in does not attempt to propagate any roles stored explicitly within LDAP, although the use of an external directory synchronization tool can enable such a capability. 24 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation REFERENCES SCO 2.3 Infocenter http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.3.0/ com.ibm.sco.doc_2.3/c_config_ldap_authentication.html?lang=en 25 IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation Any questions? IBM Software Group | Cloud & Smarter Infrastructure © 2014 IBM Corporation