settingsLogin | Registersettings

[Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

0 votes

Hi,

I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.

What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)

Problems when testing with horizon:
- Login via ldap fails on authorization
- If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)

The /etc/keystone/domains/keystone.example.com is as follows.

[ldap]
userenabledattribute=userAccountControl
queryscope=sub
user
filter=
groupallowdelete=False
pagesize=0
use
tls=False
password=NOTHERE
user
allowupdate=False
user
idattribute=cn
user
enabledmask=2
suffix= dc=example,dc=com
user
enableddefault=512
group
allowupdate=False
user
nameattribute=sAMAccountName
chase
referrals=False
groupallowcreate=False
userallowdelete=False

groupnameattribute=cn
groupfilter=
group
memberattribute=member
group
treedn=dc=example,dc=com
group
objectclass = group
groupdescattribute=
groupidattribute=

userpassattribute=userPassword
user=cn=my-service-user
userallowcreate=False
usertreedn=dc=example,dc=com
url=ldap://ldap.example.com
user_objectclass=person

[identity]
driver=keystone.identity.backends.ldap.Identity

Debugging for ldap was enabled to see the ldap bins/queries being sent out.

Versions:
keystone –version shows 2.3
Mikata (with initial install done by Fuel).

Resources consulted so far:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider 
http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html 
Book: openstack production recipies.
Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.

Questions:
- Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
- Or tips on he above?
- How can one assign users from LDAP to the members or admin groups to get started?

Thanks in advance,

Sean


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
asked Aug 2, 2016 in openstack by Sean.Boran_at_swissc (340 points)   1 1 1

5 Responses

0 votes

Sean,
I would like to help you, but I need more information
1. could you please explain what means your phrase:
"On the command line with ldapsearch, users and groups can be listed (so
the attributes configured should be ok?)"
2. please try to use curl to debug:
- uncomment "admin_token = ADMIN" in your /etc/keystone/keystone.conf and
restart keystone
- curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/users
- curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/groups
3. If something wrong go to keystone log, keystone logs ldap requests, so
you can see them and verify them

Kind regards, Kseniya


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Aug 2, 2016 by Kseniya_Tychkova (420 points)   1
0 votes

Sean,

the problem may be in the following: in Mitaka release keystone requires
user to have a role in the domain it's getting authZ'ing in. We ran into
the problem when Horizon tried to authZ user in Default domain and got
the same error.

On 02.08.2016 16:25, Sean.Boran@swisscom.com wrote:
Hi,

I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.

What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)

Problems when testing with horizon:
- Login via ldap fails on authorization
- If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)

The /etc/keystone/domains/keystone.example.com is as follows.

[ldap]
userenabledattribute=userAccountControl
queryscope=sub
user
filter=
groupallowdelete=False
pagesize=0
use
tls=False
password=NOTHERE
user
allowupdate=False
user
idattribute=cn
user
enabledmask=2
suffix= dc=example,dc=com
user
enableddefault=512
group
allowupdate=False
user
nameattribute=sAMAccountName
chase
referrals=False
groupallowcreate=False
userallowdelete=False

groupnameattribute=cn
groupfilter=
group
memberattribute=member
group
treedn=dc=example,dc=com
group
objectclass = group
groupdescattribute=
groupidattribute=

userpassattribute=userPassword
user=cn=my-service-user
userallowcreate=False
usertreedn=dc=example,dc=com
url=ldap://ldap.example.com
user_objectclass=person

[identity]
driver=keystone.identity.backends.ldap.Identity

Debugging for ldap was enabled to see the ldap bins/queries being sent out.

Versions:
keystone –version shows 2.3
Mikata (with initial install done by Fuel).

Resources consulted so far:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
Book: openstack production recipies.
Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.

Questions:
- Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
- Or tips on he above?
- How can one assign users from LDAP to the members or admin groups to get started?

Thanks in advance,

Sean


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Aug 2, 2016 by Alexander_V_Makarov (900 points)   1 2
0 votes

Hi,

So I logged in as admin/default, then switched to the ldap domain(horizon/identity/domains/), added a role.
Next try to add a user to that role (/horizon/identity/users), but “Unable to retrieve user list”.

In /var/log/user.log I see

LDAP bind: who=cn=bind-user,dc=example,dc=net
<14>Aug 2 16:12:45 node-16 admin: 2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

If the ldap query “(&(objectClass=person)(cn=*))” is run through the CLI ldapsearch, it does return a long list of thousands of users.

Ah, just noticed /var/log/keystone/admin.log

2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in ldapcall
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi result = func(*args,**kwargs)
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi SIZELIMIT_EXCEEDED: {'desc': 'Size limit exceeded'}

I wonder if there is a way for the UI to only fetch the first 100 users, or not to fetch any list, but just one by one?

Thanks,

Sean

On 02/08/16 17:46, "Alexander Makarov" amakarov@mirantis.com wrote:

Sean,

the problem may be in the following: in Mitaka release keystone requires
user to have a role in the domain it's getting authZ'ing in. We ran into
the problem when Horizon tried to authZ user in Default domain and got
the same error.

On 02.08.2016 16:25, Sean.Boran@swisscom.com wrote:
Hi,

I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.

What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)

Problems when testing with horizon:
- Login via ldap fails on authorization
- If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)

The /etc/keystone/domains/keystone.example.com is as follows.

[ldap]
userenabledattribute=userAccountControl
queryscope=sub
user
filter=
groupallowdelete=False
pagesize=0
use
tls=False
password=NOTHERE
user
allowupdate=False
user
idattribute=cn
user
enabledmask=2
suffix= dc=example,dc=com
user
enableddefault=512
group
allowupdate=False
user
nameattribute=sAMAccountName
chase
referrals=False
groupallowcreate=False
userallowdelete=False

groupnameattribute=cn
groupfilter=
group
memberattribute=member
group
treedn=dc=example,dc=com
group
objectclass = group
groupdescattribute=
groupidattribute=

userpassattribute=userPassword
user=cn=my-service-user
userallowcreate=False
usertreedn=dc=example,dc=com
url=ldap://ldap.example.com
user_objectclass=person

[identity]
driver=keystone.identity.backends.ldap.Identity

Debugging for ldap was enabled to see the ldap bins/queries being sent out.

Versions:
keystone –version shows 2.3
Mikata (with initial install done by Fuel).

Resources consulted so far:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
Book: openstack production recipies.
Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.

Questions:
- Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
- Or tips on he above?
- How can one assign users from LDAP to the members or admin groups to get started?

Thanks in advance,

Sean


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Aug 2, 2016 by Sean.Boran_at_swissc (340 points)   1 1 1
0 votes
  1. For example, to list users:
    ldapsearch -x -D cn='service-account,dc=example,dc=net' '(&(objectClass=person)(cn=*))' -W

  2. admin_token is not commented it has a hash value, so doing

curl -v -s -H "X-Auth-Token: " http://192.168.0.2:5000/v3/users

Date: Tuesday 2 August 2016 at 16:46
To: "openstack@lists.openstack.org" openstack@lists.openstack.org, "Boran Sean, INI-INO-BX-IT" Sean.Boran@swisscom.com
Subject: [Openstack] (keystone/horizon) ActiveDirectory/ldap for users/groups

Sean,
I would like to help you, but I need more information
1. could you please explain what means your phrase:
"On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)"
2. please try to use curl to debug:
- uncomment "admin_token = ADMIN" in your /etc/keystone/keystone.conf and restart keystone
- curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/users
- curl -s -H "X-Auth-Token: ADMIN" http://localhost:5000/v3/groups
3. If something wrong go to keystone log, keystone logs ldap requests, so you can see them and verify them

Kind regards, Kseniya


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Aug 2, 2016 by Sean.Boran_at_swissc (340 points)   1 1 1
0 votes

Hi,

By setting the following one can limit the number of users shown (see also https://bugs.launchpad.net/keystone/+bug/1501698 which shows the commit earlier this year to include that feature)

[identity]
list_limit = 50

The efficiency of the query for getting users can be improved by the following (see http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx for very useful ldap queries for AD)
userfilter=(objectCategory=person)
user
objectclass=user

so now when one goes to horizon/identity/domains/ in the browser and then selects “manage members” from the dropdown for the LDAP domain, a list of 50 users pops up (and there are no errors such as SIZELIMIT_EXCEEDED).

The problem: One can see 50 users and search for a user within that list, however one cannot search for others users ☹.
Domain Groups have the same limitation.
This looks like a limitation in Horizon, ah found this bug report https://bugs.launchpad.net/horizon/+bug/1496045
To me it looks like support for LDAP paging needs to be added http://jeftek.com/219/avoid-changing-the-maxpagesize-ldap-query-policy ?

Any suggestions on a workaround?
- Is there a way on the command line or API, perhaps, to assign an individual user or group from LDAP to a group such as member? i.e. without pulling down the complete list?

Regards, Sean.

On 02/08/16 18:20, "Boran Sean, INI-INO-SWD" Sean.Boran@swisscom.com wrote:

Hi,

So I logged in as admin/default, then switched to the ldap domain(horizon/identity/domains/), added a role.
Next try to add a user to that role (/horizon/identity/users), but “Unable to retrieve user list”.

In /var/log/user.log I see

LDAP bind: who=cn=bind-user,dc=example,dc=net
<14>Aug 2 16:12:45 node-16 admin: 2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

2016-08-02 16:12:45.473 5366 INFO keystone.common.ldap.core [req-a18130f2-58e4-43e3-8cb2-aed4c112334b 8ce0f5b503914e08a8e4f24a1ebf83f8 7166483dcbc64ef79390795b9c425be5 - default default] LDAP search: base=dc=example,dc=net scope=2 filterstr=(&(objectClass=person)(cn=*)) attrs=['cn', 'userPassword', 'userAccountControl', 'sAMAccountName', 'mail', 'description'] attrsonly=0

If the ldap query “(&(objectClass=person)(cn=*))” is run through the CLI ldapsearch, it does return a long list of thousands of users.

Ah, just noticed /var/log/keystone/admin.log

2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in ldapcall
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi result = func(*args,**kwargs)
2016-08-02 16:17:40.477 5365 ERROR keystone.common.wsgi SIZELIMIT_EXCEEDED: {'desc': 'Size limit exceeded'}

I wonder if there is a way for the UI to only fetch the first 100 users, or not to fetch any list, but just one by one?

Thanks,

Sean

On 02/08/16 17:46, "Alexander Makarov" amakarov@mirantis.com wrote:

Sean,

the problem may be in the following: in Mitaka release keystone requires
user to have a role in the domain it's getting authZ'ing in. We ran into
the problem when Horizon tried to authZ user in Default domain and got
the same error.

On 02.08.2016 16:25, Sean.Boran@swisscom.com wrote:
Hi,

I’m having a bit of fun try to use AD for identifying and authorising Users on Openstack .
The idea is to use AD for read-only access to users/group definitions, but all authorisation data to be stored in SQL.

What works: Users can be authenticated (LDAP bind works, verification of the user), but not yet authorised – one gets "You are not authorized for any projects or domains" after authentication (integration of groups).
On the command line with ldapsearch, users and groups can be listed (so the attributes configured should be ok?)

Problems when testing with horizon:
- Login via ldap fails on authorization
- If logged in as admin in the default (sql) domain, the LDAP domain can be viewed at /horizon/identity/domains/ but users and groups cannot be managed “Unable to retrieve group list”, “Unable to retrieve user list”
This may also be since the AD contains about 20’000 users (too much data for the user/group management screen)

The /etc/keystone/domains/keystone.example.com is as follows.

[ldap]
userenabledattribute=userAccountControl
queryscope=sub
user
filter=
groupallowdelete=False
pagesize=0
use
tls=False
password=NOTHERE
user
allowupdate=False
user
idattribute=cn
user
enabledmask=2
suffix= dc=example,dc=com
user
enableddefault=512
group
allowupdate=False
user
nameattribute=sAMAccountName
chase
referrals=False
groupallowcreate=False
userallowdelete=False

groupnameattribute=cn
groupfilter=
group
memberattribute=member
group
treedn=dc=example,dc=com
group
objectclass = group
groupdescattribute=
groupidattribute=

userpassattribute=userPassword
user=cn=my-service-user
userallowcreate=False
usertreedn=dc=example,dc=com
url=ldap://ldap.example.com
user_objectclass=person

[identity]
driver=keystone.identity.backends.ldap.Identity

Debugging for ldap was enabled to see the ldap bins/queries being sent out.

Versions:
keystone –version shows 2.3
Mikata (with initial install done by Fuel).

Resources consulted so far:
http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider
http://docs.openstack.org/admin-guide/keystone_integrate_with_ldap.html
Book: openstack production recipies.
Also: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow but got confused there.

Questions:
- Are there any good resources out there for AD integration? E.g. How user/group/roles work within an ldap context?
- Or tips on he above?
- How can one assign users from LDAP to the members or admin groups to get started?

Thanks in advance,

Sean


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Aug 5, 2016 by Sean.Boran_at_swissc (340 points)   1 1 1
...