Chinaunix首页 | 论坛 | 博客

netsniper的博客

首页 |  博文目录 |  关于我

4059056

  • 博客访问: 91899
  • 博文数量: 16
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 131
  • 用 户 组: 普通用户
  • 注册时间: 2011-03-03 04:11
文章分类

全部博文(16)

文章存档

2016年(4)

2015年(10)

2014年(2)

我的朋友
最近访客
推荐博文
相关博文
keystone对接LDAP实践

分类: 云计算

2016-05-03 15:37:31

0. 环境

系统环境

点击(此处)折叠或打开

  1. [root@compute-61 ldap]# cat /etc/redhat-release
  2. CentOS Linux release 7.2.1511 (Core)

keystone版本

点击(此处)折叠或打开

  1. [root@compute-192-168-6-61 ldap]# keystone --version
  2. 1.7.2

1. 安装 OpenLDAP Server.

点击(此处)折叠或打开

  1. yum -y install openldap-servers openldap-clients
  3. cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  5. chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
  7. systemctl start slapd
  8. systemctl enable slapd

2. 设置OpenLDAP admin password

点击(此处)折叠或打开

  1. [root@compute-61 ldap]# slappasswd -s a123456
  2. {SSHA}fmi9B1qP6JPBHXVAg0Gcup/qQUWSzho9
  3. [root@compute-61 ldap]#
  4. [root@compute-61 ldap]#
  5. [root@compute-61 ldap]# vim chrootpw.ldif

在chrootpw.ldif中加入如下内容:

点击(此处)折叠或打开

  1. # specify the password generated above for "olcRootPW" section
  2. dn: olcDatabase={0}config,cn=config
  3. changetype: modify
  4. add: olcRootPW
  5. olcRootPW: {SSHA}fmi9B1qP6JPBHXVAg0Gcup/qQUWSzho9

执行ldapadd命令:

点击(此处)折叠或打开

  1. ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif


3. 导入基础的schemas,执行如下命令

点击(此处)折叠或打开

  1. ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
  3. ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
  5. ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

4. 设置 domain name on LDAP DB.

编辑chdomain.ldif,vim chdomain.ldif

点击(此处)折叠或打开

  1. # replace to your own domain name for "dc=***,dc=***" section
  2. # specify the password generated above for "olcRootPW" section
  3. dn: olcDatabase={1}monitor,cn=config
  4. changetype: modify
  5. replace: olcAccess
  6. olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  7.    read by dn.base="cn=manager,dc=openstack,dc=org" read by * none

  9. dn: olcDatabase={2}hdb,cn=config
  10. changetype: modify
  11. replace: olcSuffix
  12. olcSuffix: dc=openstack,dc=org

  14. dn: olcDatabase={2}hdb,cn=config
  15. changetype: modify
  16. replace: olcRootDN
  17. olcRootDN: cn=manager,dc=openstack,dc=org

  19. dn: olcDatabase={2}hdb,cn=config
  20. changetype: modify
  21. add: olcRootPW
  22. olcRootPW: {SSHA}fmi9B1qP6JPBHXVAg0Gcup/qQUWSzho9

  24. dn: olcDatabase={2}hdb,cn=config
  25. changetype: modify
  26. add: olcAccess
  27. olcAccess: {0}to attrs=userPassword,shadowLastChange by
  28.    dn="cn=manager,dc=openstack,dc=org" write by anonymous auth by self write by * none
  29. olcAccess: {1}to dn.base="" by * read
  30. olcAccess: {2}to * by dn="cn=manager,dc=openstack,dc=org" write by * read


执行ldapmodify

点击(此处)折叠或打开

  1. ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif


5. 修改LDAP的默认schema

LDAP的默认schema不能直接和openstack配合使用,有些openstack的用户、角色、租户需要的属性默认schema中没有,例如:enable,description等等,需要修改;其次,需要添加存储openstack相关模型(user,tenant,group,role,domain)的dn,以便保存数据。

vim modify.ldif

点击(此处)折叠或打开

  1. dn: cn={0}core,cn=schema,cn=config
  2. changetype: modify
  3. add: olcAttributeTypes
  4. olcAttributeTypes: {52}( 2.5.4.66 NAME 'enabled' DESC 'RFC2256: enabled of a group' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

  6. dn: cn={0}core,cn=schema,cn=config
  7. changetype: modify
  8. delete: olcObjectClasses
  9. olcObjectClasses: {7}( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
  10. -
  11. add: olcObjectClasses
  12. olcObjectClasses: {7}( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description $ enabled) )

  14. dn: cn={3}inetorgperson,cn=schema,cn=config
  15. changetype: modify
  16. delete: olcObjectClasses
  17. olcObjectClasses: {0}( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
  18. -
  19. add: olcObjectClasses
  20. olcObjectClasses: {0}( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 $ description $ enabled $ email ) )
将以上内容保存到对应的文件之后,执行如下命令:
ldapmodify -c -Y EXTERNAL -H ldapi:/// -f modify.ldif

6. 创建基础域

vim basedomain.ldif

点击(此处)折叠或打开

  1. dn: dc=openstack,dc=org
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    dc: openstack
    o: youyun

    dn: ou=users,dc=openstack,dc=org
    ou: users
    objectClass: top
    objectClass: organizationalUnit

    dn: ou=projects,dc=openstack,dc=org
    objectClass: top
    objectClass: organizationalUnit

    dn: ou=roles,dc=openstack,dc=org
    objectClass: top
    objectClass: organizationalUnit

    dn: ou=groups,dc=openstack,dc=org
    objectClass: top
    objectClass: organizationalUnit

    dn: ou=domains,dc=openstack,dc=org
    objectClass: top
    objectClass: organizationalUnit

执行
ldapadd -x -c -D"cn=manager,dc=openstack,dc=org" -w "a123456" -f basedomain.ldif

7. 修改keystone的配置文件

点击(此处)折叠或打开

  1. /etc/keystone/keystone.conf
将Identity的后端配置为ldap

点击(此处)折叠或打开

  1. [identity]
  2. driver = keystone.identity.backends.ldap.Identity
增加ldap段的配置,只需如下配置,其他可以使用默认值

点击(此处)折叠或打开

  1. [ldap]
  2. url = ldap://localhost
  3. user = cn=manager,dc=openstack,dc=org
  4. password = a123456
  5. suffix = dc=openstack,dc=org
  6. use_dumb_member = True
  7. allow_subtree_delete = False
  9. user_tree_dn = ou=users,dc=openstack,dc=org
  10. project_tree_dn = ou=projects,dc=openstack,dc=org #有的版本没有project_tree_dn,其对应的tree_dn为tenant_tree_dn
  11. role_tree_dn = ou=roles,dc=openstack,dc=org
  12. group_tree_dn = ou=groups,dc=openstack,dc=org
  13. #domain_tree_dn = ou=domains,dc=openstack,dc=org
重启keystone服务。

8. 配置keystone

创建admin 租户

点击(此处)折叠或打开

  1. keystone --os-token fac6fcc5b4b542a1bdd05013e57d7db4 --os-endpoint tenant-create --name admin
注意:fac6fcc5b4b542a1bdd05013e57d7db4 为/etc/keystone/keystone.conf中的admin_token的值

创建admin用户并绑定租户

点击(此处)折叠或打开

  1. keystone --os-token fac6fcc5b4b542a1bdd05013e57d7db4 --os-endpoint user-create --tenant-id 9a1d69f72c044ba29ceaa25731f1084a --name admin --pass admin

创建管理员角色(根据keystone默认的 policy.json)

点击(此处)折叠或打开

  1. keystone --os-token fac6fcc5b4b542a1bdd05013e57d7db4 --os-endpoint role-create --name admin

赋予admin租户中的的admin用户管理员权限

点击(此处)折叠或打开

  1. keystone --os-token fac6fcc5b4b542a1bdd05013e57d7db4 --os-endpoint user-role-add --tenant-id 9a1d69f72c044ba29ceaa25731f1084a --user-id dd71eb7771a845ea87c8ec5eb7a02f4c --role-id a516ce68a19448d7a5b2b78fcde9b726

9. 验证

keystone user-list
keystone role-list



 2016.05.03 shanghai pudong
阅读(2951) | 评论(0) | 转发(0) |
1

上一篇:vim tab设置为4个空格

下一篇:弄清socket

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6