Skip to main content
Asked a question 4 years ago

How do I configure Bright OpenStack 7.2 with Active Directory authentication?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

Bright OpenStack 7.2 with AD authentication

This Knowledge base article describes the steps needed to successfully configure Bright OpenStack 7.2 to use the Active Directory/LDAP backend
It is now possible to configure AD/LDAP authentication from cmsh in a very simple way.

The LDAP backend will be used for the user/group identity and the MySQL backend will be used for role assignment.


Set the admin token:

# cmsh -c “openstack; settings; credentials; set admintoken `openssl rand -hex 10`;commit”

Remove the SQL backend and add an LDAP backend and configure the LDAP backend to bind to Active Diectory, change the <LDAP URL> to the URL of the Active Directory server, eg. ldap:// Then create a service user in Active Directory and set the username and the password:

# cmsh -c "openstack; settings; authentication; authbackends; remove sql; add ldap ad; set url <LDAP URL>; set username <USERNAME>; set password <PASSWORD>; commit"

Configure the attribute, objectclass, and the base dn for searching the user/group, eg. CN=Users,DC=bright,DC=com.

# cmsh -c "openstack; settings; authentication; authbackends; use ad; usersettings; set idattribute sAMAccountName; set nameattribute sAMAccountName; set objectclass person; set treedn <SEARCH TREE>; commit"

# cmsh -c "openstack; settings; authentication; authbackends; use ad; groupsettings; set idattribute sAMAccountName; set memberattribute member; set objectclass group; set threedn <SEARCH TREE>; commit"

Configure each service user and password used by the OpenStack component.
In this case each service user created in the previous step is used for each OpenStack user.
It is a best practice to use a user/password for each service, as is done by default with the SQL backend.
Retrieve the username/password pair, and create each user with the associated password in Active Directory.

# cmsh -c 'openstack settings; credentials; get cinderusername; get cinderpassword'

# cmsh -c 'openstack settings; credentials; get keystoneusername; get keystonepassword'

# cmsh -c 'openstack settings; credentials; get cmdaemonopenstackusername; get cmdaemonopenstackpassword'

# cmsh -c 'openstack settings; credentials; get glanceusername; get glancepassword'

# cmsh -c 'openstack settings; credentials; get heatusername; get heatpassword'

# cmsh -c 'openstack settings; credentials; get neutronusername; get neutronpassword'

# cmsh -c 'openstack settings; credentials; get novausername; get novapassword'

# echo admin && cmsh -c 'openstack settingscredentials; get mainadminpassword'

If just one username/password pair will be used, then change <USERNAME> and <PASSWORD> accordingly as in the following:

# (for i in {cinder,glance,heat,keystone,neutron,nova,radosgw,cmdaemonopenstack}; do echo "openstack use default; settings; credentials; set ${i}username <USERNAME>; home"; done; echo openstack commit ) | cmsh

# (for i in {cinder,glance,heat,keystone,neutron,nova,radosgw,cmdaemonopenstack}; do echo "openstack use default; settings; credentials; set ${i}password <PASSWORD>; home"; done; echo openstack commit ) | cmsh                                                

Assign the admin role to the user created before for the bright and service project, and replace <USERNAME> accordingly.

Note that if a different username/password is used for each service, then the step must be carried out for each user.

# export TOKEN=`cmsh -c 'openstack; settings; credentials; get admintoken'`
# openstack --os-token $TOKEN --os-url http://master:5000/v330 role add --user <USERNAME> --project bright admin
# openstack --os-token $TOKEN --os-url http://master:5000/v330 role add --user <USERNAME> --project service admin

Using the admin user created before in AD, log in to OpenStack and assign the project membership.