From cc05aee3ba1a7d290e915020d1eeef12b62683ba Mon Sep 17 00:00:00 2001 From: razique Date: Tue, 19 Jun 2012 17:50:37 +0200 Subject: [PATCH] Fixes bug #953132 Docs for Essex need LDAP with Keystone configuration to be documented Rework of the LDAP presentation around Keystone : new reference table Patch set adds xml:id to the new sections so it'll build. Patch set 3 uses "exampledomain" instead of "younglogic" for the domain name and fixes typos (exmaple). Also rebased against stable/essex. Change-Id: I0c964785bba2f3a58d326cf8a685a87c23f04521 --- doc/src/docbkx/common/ch_identity_mgmt.xml | 232 ++++++++++++------ .../common/tables/ldap-keystone-conf.xml | 144 +++++++++++ .../identity-options-reference.xml | 9 + .../tables/ldap-nova-conf.xml | 77 +++++- 4 files changed, 382 insertions(+), 80 deletions(-) create mode 100644 doc/src/docbkx/common/tables/ldap-keystone-conf.xml create mode 100644 doc/src/docbkx/openstack-compute-admin/identity-options-reference.xml diff --git a/doc/src/docbkx/common/ch_identity_mgmt.xml b/doc/src/docbkx/common/ch_identity_mgmt.xml index c2fb645e257..80c8548c307 100644 --- a/doc/src/docbkx/common/ch_identity_mgmt.xml +++ b/doc/src/docbkx/common/ch_identity_mgmt.xml @@ -11,7 +11,7 @@ a separate logging configuration file, and initializing data into keystone using the command line client. - +
Configuration File @@ -25,19 +25,24 @@ drivers for the various services are included under their individual sections. - - The services include: - - [identity] - the python - module that backends the identity system - [catalog] - the python module that - backends the service catalog - [token] - the python module - that backends the token providing mechanisms - [policy] - the python module that - drives the policy system for RBAC - - + The services include: + + [identity] - the python module that + backends the identity system + + + [catalog] - the python module that + backends the service catalog + + + [token] - the python module that + backends the token providing mechanisms + + + [policy] - the python module that + drives the policy system for RBAC + + The configuration file is expected to be named keystone.conf. When starting up Identity, you @@ -167,10 +172,8 @@ keystone-all
Step 2: db_sync your new, empty database - - Run the following command to configure the most recent schema in - your new keystone installation: - + Run the following command to configure the most recent + schema in your new Identity installation: keystone-manage db_sync @@ -183,19 +186,16 @@ keystone-manage db_sync keystone-manage import_legacy [db_url, e.g. 'mysql://root@foobar/keystone'] - - Specify db_url as the connection string that was present in your - old keystone.conf file. - + Specify db_url as the connection string that was present + in your old keystone.conf file.
Step 4: Import your legacy service catalog - - While the older keystone stored the service catalog in the - database, the updated version configures the service catalog - using a template file. An example service catalog template file - may be found in etc/default_catalog.templates. - + While the older Identity service stored the service + catalog in the database, the updated version configures the + service catalog using a template file. An example service + catalog template file may be found in + etc/default_catalog.templates. To import your legacy catalog, run this command: @@ -220,10 +220,9 @@ keystone-manage export_legacy_catalog \ steps:
- Step 1: Export your data from Nova - - Use the following command to export your data fron Nova: - + Step 1: Export your data from Compute + Use the following command to export your data from + Compute (nova): nova-manage export auth > /path/to/dump @@ -364,15 +363,13 @@ keystone-manage db_sync
Example usage - - keystone is set up to expect commands in the - general form of keystone - command argument, followed - by flag-like keyword arguments to provide additional (often - optional) information. For example, the command - user-list and - tenant-create can be invoked as follows: - + The keystone client is set up to expect + commands in the general form of keystone + command + argument, followed by flag-like keyword + arguments to provide additional (often optional) information. + For example, the command user-list and + tenant-create can be invoked as follows: # Using token auth env variables export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/ @@ -500,9 +497,7 @@ keystone tenant-disable f2b7b39c860840dfa47d9ee4adffa0b3 Users
<literal>user-create</literal> - - keyword arguments - + keyword arguments: @@ -542,9 +537,7 @@ keystone user-create
<literal>user-delete</literal> - - keyword arguments - + keyword arguments: @@ -685,9 +678,7 @@ keystone user-update-password 03c84b51574841ba9a0d8db7882ac645 foo - - exmaple: - + example: keystone role-create --name=demo @@ -704,18 +695,14 @@ keystone role-create --name=demo - - exmaple: - + example: keystone role-delete 19d1d3344873464d819c45f521ff9890
<literal>role-list</literal> - - exmaple: - + example: keystone role-list @@ -732,9 +719,7 @@ keystone role-list - - exmaple: - + example: keystone role-get role=19d1d3344873464d819c45f521ff9890 @@ -949,12 +934,10 @@ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b [DEFAULT] admin_token = ADMIN - - This configured token is a "shared secret" between - keystone and other openstack services, and is used by the client - to communicate with the API to create tenants, users, roles, - etc. - + This configured token is a "shared secret" + between keystone and other OpenStack services, and is used + by the client to communicate with the API to create tenants, + users, roles, etc.
Setting up tenants, users, and roles @@ -1170,9 +1153,7 @@ use = egg:swift#catch_errors use = egg:swift#healthcheck - - - + Restart swift services. @@ -1272,6 +1253,119 @@ connection = boto.connect_s3(
+
+ Configuring Keystone for an LDAP backend + It is possible to connect an LDAP backend with the Identity service Keystone. + + Setting up the LDAP backend + + + Configuring Users + The users will be stored into a collection + ou=Users,$SUBTREEY that will make use of the standard LDAP + objectClassinetOrgPerson(being defined in + /etc/openldap/schema/inetorgperson.ldiff. You would only + need two LDAP fields :CN and CN. The CN field will + be used for the bind call, and is the ID field + for the user object. + + + Configuring Tenants + OpenStack tenants is also a collection. They are instances of the object + groupOfNames (defined in + /etc/openldap/schema/core.ldiff. In order to bind tenant + to users, the user's DN should be indicated + into the tenant's members attribute. + + + Configuring Roles + Roles will be stored into the organizationalRole LDAP object class, into + /etc/openldap/schema/core.ldiff. The assignment is + indicated via the User's DN in the roleOccupant attribute. + + + + + Setting up Keystone + + + The "[LDAP]" stanza in the + keystone.conf file allows + you to specify the parameters related to the LDAP + backend. Supported values are : + + + url + + + user + + + password + + + suffix + + + use_dumb_member + + + user_tree_dn + + + user_objectclass + + + user_id_attribute + + + tenant_tree_dn + + + tenant_objectclass + + + tenant_id_attribute + + + tenant_member_attribute + + + role_tree_dn + + + role_objectclass + + + role_id_attribute' + + + role_member_attribute + + + + + Here is a typical set-up : + [ldap] +url = ldap://localhost +tree_dn = dc=exampledomain,dc=com +user_tree_dn = ou=Users,dc=exampledomain,dc=com +role_tree_dn = ou=Roles,dc=exampledomain,dc=com +tenant_tree_dn = ou=Groups,dc=exampledomain,dc=com +user = dc=Manager,dc=exampledomain,dc=com +password = freeipa4all +backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role'] +suffix =cn=exampledomain,cn=com + +[identity] +driver = keystone.identity.backends.ldap.Identity + + +
+
+ Reference for LDAP Configuration Options in keystone.conf + +
Auth-Token Middleware with Username and Password @@ -1300,7 +1394,7 @@ admin_password = keystone123 It should be noted that when using this option an admin tenant/role relationship is required. The admin user is granted - access to to the 'Admin' role to the 'admin' tenant. + access to the 'Admin' role on the 'admin' tenant.
diff --git a/doc/src/docbkx/common/tables/ldap-keystone-conf.xml b/doc/src/docbkx/common/tables/ldap-keystone-conf.xml new file mode 100644 index 00000000000..92bd0bac450 --- /dev/null +++ b/doc/src/docbkx/common/tables/ldap-keystone-conf.xml @@ -0,0 +1,144 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of keystone.conf file configuration options + for LDAP
Configuration option=Default value(Type) Description
+ cloudadmin= "cn=cloudadmins,ou=Groups,dc=example,dc=com" (StrOpt) CN for Cloud Admins
+ developer= "cn=developers,ou=Groups,dc=example,dc=com" (StrOpt) CN for Developers
itsec= "cn=itsec,ou=Groups,dc=example,dc=com" (StrOpt) CN for ItSec
+ netadmin= "cn=netadmins,ou=Groups,dc=example,dc=com" (StrOpt) CN for NetAdmins
password= "changeme" (StrOpt) LDAP password
suffix= "cn=example,cn=com" (StrOpt) LDAP suffix
use_dumb_member=False (BoolOpt) Simulates an LDAP member
+ project_subtree= "ou=Groups,dc=example,dc=com" (StrOpt) OU for Projects
objectClass= inetOrgPerson (StrOpt) LDAP objectClass to use
schema_version=2 (IntOpt) Current version of the LDAP schema
+ sysadmin= "cn=sysadmins,ou=Groups,dc=example,dc=com" (StrOpt) CN for Sysadmins
url= "ldap://localhost" (StrOpt) Point this at your ldap server
user= "dc=Manager,dc=example,dc=com" (StrOpt) LDAP User
user_tree_dn="ou=Users,dc=example,dc=com" (StrOpt) OU for Users
user_dn= "cn=Manager,dc=example,dc=com" (StrOpt) DN of Users
user_objectClass= inetOrgPerson (StrOpt) DN of Users
user_id_attribute= cn (StrOpt) Attribute to use as id
user_modify_only=false (BoolOpt) Modify user attributes instead of + creating/deleting
user_name_attribute= cn (StrOpt) Attribute to use as name
user_subtree= "ou=Users,dc=example,dc=com" (StrOpt) OU for Users
user_unit= "Users" (StrOpt) OID for Users
tenant_tree_dn="ou=Groups,dc=example,dc=com" (StrOpt) OU for Tenants
tenant_objectclass= groupOfNames (StrOpt) LDAP ObjectClass to use for Tenants
tenant_id_attribute= cn (strOpt) Attribute to use as Tenant
tenant_member_attribute= member (strOpt) Attribute to use as Member
role_tree_dn= "ou=Roles,dc=example,dc=com" (strOpt) OU for Roles
role_objectclass= organizationalRole (strOpt) LDAP ObjectClass to use for Roles
role_project_subtree= "ou=Groups,dc=example,dc=com" (StrOpt) OU for Roles
role_member_attribute= roleOccupant (StrOpt) Attribute to use as Role member
role_id_attribute= cn (StrOpt) Attribute to use as Role
+ + diff --git a/doc/src/docbkx/openstack-compute-admin/identity-options-reference.xml b/doc/src/docbkx/openstack-compute-admin/identity-options-reference.xml new file mode 100644 index 00000000000..eb0710ae074 --- /dev/null +++ b/doc/src/docbkx/openstack-compute-admin/identity-options-reference.xml @@ -0,0 +1,9 @@ + + + Reference for Configuration Options in keystone.conf + + + diff --git a/doc/src/docbkx/openstack-compute-admin/tables/ldap-nova-conf.xml b/doc/src/docbkx/openstack-compute-admin/tables/ldap-nova-conf.xml index c02309055ba..0c8dc14b039 100644 --- a/doc/src/docbkx/openstack-compute-admin/tables/ldap-nova-conf.xml +++ b/doc/src/docbkx/openstack-compute-admin/tables/ldap-nova-conf.xml @@ -15,31 +15,43 @@ ldap_cloudadmin= "cn=cloudadmins,ou=Groups,dc=example,dc=com" - (StrOpt) cn for Cloud Admins + (StrOpt) CN for Cloud Admins ldap_developer= "cn=developers,ou=Groups,dc=example,dc=com" - (StrOpt) cn for Developers + (StrOpt) CN for Developers ldap_itsec= "cn=itsec,ou=Groups,dc=example,dc=com" - (StrOpt) cn for ItSec + (StrOpt) CN for ItSec ldap_netadmin= "cn=netadmins,ou=Groups,dc=example,dc=com" - (StrOpt) cn for NetAdmins + (StrOpt) CN for NetAdmins ldap_password= "changeme" (StrOpt) LDAP password + + ldap_suffix= "cn=example,cn=com" + (StrOpt) LDAP suffix + + + ldap_use_dumb_member=False + (BoolOpt) Simulates an LDAP member + ldap_project_subtree= "ou=Groups,dc=example,dc=com" (StrOpt) OU for Projects + + ldap_objectClass= inetOrgPerson + (StrOpt) LDAP objectClass to use + ldap_schema_version=2 (IntOpt) Current version of the LDAP schema @@ -47,18 +59,30 @@ ldap_sysadmin= "cn=sysadmins,ou=Groups,dc=example,dc=com" - (StrOpt) cn for Sysadmins + (StrOpt) CN for Sysadmins ldap_url= "ldap://localhost" (StrOpt) Point this at your ldap server + + ldap_user= "dc=Manager,dc=example,dc=com" + (StrOpt) LDAP User + + + ldap_user_tree_dn="ou=Users,dc=example,dc=com" + (StrOpt) OU for Users + ldap_user_dn= "cn=Manager,dc=example,dc=com" - (StrOpt) DN of admin user + (StrOpt) DN of Users + + + ldap_user_objectClass= inetOrgPerson + (StrOpt) DN of Users - ldap_user_id_attribute= "uid" + ldap_user_id_attribute= cn (StrOpt) Attribute to use as id @@ -67,7 +91,7 @@ creating/deleting - ldap_user_name_attribute= "cn" + ldap_user_name_attribute= cn (StrOpt) Attribute to use as name @@ -79,11 +103,42 @@ (StrOpt) OID for Users - - role_project_subtree= "ou=Groups,dc=example,dc=com" + ldap_tenant_tree_dn="ou=Groups,dc=example,dc=com" + (StrOpt) OU for Tenants + + + ldap_tenant_objectclass= groupOfNames + (StrOpt) LDAP ObjectClass to use for Tenants + + + ldap_tenant_id_attribute= cn + (strOpt) Attribute to use as Tenant + + + ldap_tenant_member_attribute= member + (strOpt) Attribute to use as Member + + + ldap_role_tree_dn= "ou=Roles,dc=example,dc=com" + (strOpt) OU for Roles + + + ldap_role_objectclass= organizationalRole + (strOpt) LDAP ObjectClass to use for Roles + + + ldap_role_project_subtree= "ou=Groups,dc=example,dc=com" (StrOpt) OU for Roles + + ldap_role_member_attribute= roleOccupant + (StrOpt) Attribute to use as Role member + + + ldap_role_id_attribute= cn + (StrOpt) Attribute to use as Role + - +