We just deployed VIO 3.0 and are trying to configure it with Active Directory authentication. We have an LDAP config that VIO accepts but nobody can login. Does anyone have any pointers on how to configure?
Thanks!
-Michael Richter
Thank you for the help everyone! We were finally able to figure it out.
Basically we were using the wrong filters for users. Once we started filtering on the openstack group we created in AD, things started working a lot better.
We did end up having to use CLI to assign initial group access.
As far as the AD Identity Source configuration looks in the GUI, here are what our settings look like. We created a VIOUser account to bind to the domain and a VIO_Users group that we placed AD user accounts in that we wanted to grant login capability to VIO.
Domain Name: example.com
Bind user / password: User that is a member of the domain.
User Tree DN: OU=Users,DC=example,DC=com
User filter: (memberOf=CN=VIO_users,OU=Groups,DC=example,DC=com)
Group tree DN: OU=Groups,DC=example,DC=com
Advanced settings:
Encryption: SSL
Host name: <domain controller 1>.example.com, <domain controller 2>.example.com
Port: 636
User objectclass: person
User ID attribute: sAMAccountName
User name attribute: sAMAccountName
User mail attribute: mail
User password attribute: userPassword
Group objectclass: group
Group ID attribute: cn
Group name attribute: sAMAccountName
Group member attribute: member
Group description attribute: description
Lastly, these were the steps we performed to configure the initial user accounts in the openstack project:
The next few steps will involve SSH-ing to the Openstack Management Server (OMS) and configuring the initial user accounts and related access to Openstack projects.
Note: Whatever name your domain is, VIO refers to it as 'default'.
Hope that helps others out there.
Thanks again!
Can you try using "Default" as the domain name.
Also, if you can provide some more details around what configuration have you done as well as what steps did you complete.
In VIO 3.0 we configure keystone with multi-domain backend. For the LDAP configuration we setup the LDAP backend on the "Default" domain. Thus you will need to specify the "Default" domain on the horizon login screen in order to login.
Hope this information helps.
~ Sidharth
By default, no LDAP users are allowed to login as there is no active project
associated with LDAP users in a fresh deployment.
In such a case, you need to assign the "admin" or "member" role for LDAP users
with the administrative user "admin" created in the "local" domain
for the first login.
Thank you for that information. We can login with the default domain and admin credentials but there is no way we can tell to specify ldap users or create a new project for a domain.
When we try to configure ldap settings, we specify the OU where all our users are created under in AD with the following User query filter:
(&(objectCategory=person)(objectClass=user)(!(|(objectClass=computer)(msExchResourceMetaData=ResourceType:Room)(userAccountControl:1.2.840.113556.1.4.803:=2))))
However, we get the error saying more than 1000 users were returned. Have you had any success with being able to limit the users so it's less than 1000 and what did the query filter look like?
Thanks!
ssurana - Thanks for the info. I was able to get in using the default domain but ran into more trouble. Not sure if you saw but I posted some of the config I am using at the bottom of the thread.
Thanks!
You can always use CLI to assign roles for LDAP users.
$ source ~/cloudadmin_v3.rc
$ openstack --os-identity-api-version 3 --os-user-domain-name local --os-project-name admin --os-region-name nova project create --domain default --description "Demo Project" --or-show demo
$ openstack --os-identity-api-version 3 --os-user-domain-name local --os-project-name admin --os-region-name nova role add --project demo --project-domain default --user SOMEUSER@SOMECORP.COM --user-domain default admin
As for limiting the results, you may add a new condition at end the of your filter.
(&(objectCategory=person)(objectClass=user)(!(|(objectClass=computer)(msExchResourceMetaData=ResourceType:Room)(userAccountControl:1.2.840.113556.1.4.803:=2))))(YOUR_CONDITION_HERE)
You can find a common attribute / value for all users you want them to show up in the result.
Thank you for the help everyone! We were finally able to figure it out.
Basically we were using the wrong filters for users. Once we started filtering on the openstack group we created in AD, things started working a lot better.
We did end up having to use CLI to assign initial group access.
As far as the AD Identity Source configuration looks in the GUI, here are what our settings look like. We created a VIOUser account to bind to the domain and a VIO_Users group that we placed AD user accounts in that we wanted to grant login capability to VIO.
Domain Name: example.com
Bind user / password: User that is a member of the domain.
User Tree DN: OU=Users,DC=example,DC=com
User filter: (memberOf=CN=VIO_users,OU=Groups,DC=example,DC=com)
Group tree DN: OU=Groups,DC=example,DC=com
Advanced settings:
Encryption: SSL
Host name: <domain controller 1>.example.com, <domain controller 2>.example.com
Port: 636
User objectclass: person
User ID attribute: sAMAccountName
User name attribute: sAMAccountName
User mail attribute: mail
User password attribute: userPassword
Group objectclass: group
Group ID attribute: cn
Group name attribute: sAMAccountName
Group member attribute: member
Group description attribute: description
Lastly, these were the steps we performed to configure the initial user accounts in the openstack project:
The next few steps will involve SSH-ing to the Openstack Management Server (OMS) and configuring the initial user accounts and related access to Openstack projects.
Note: Whatever name your domain is, VIO refers to it as 'default'.
Hope that helps others out there.
Thanks again!
Hi,
as a follow up we have updated our documentation and those steps are now detailed :
new updated ldap documentation:
add the clarification that you need to add filter if the queries returns more than a 1000 objects.
Modify the Default Domain Configuration
this include the cli step to add the first ad user as well at the end the steps to address non standard character in username
Hi, I did all your steps, but in the last step (Grant users to project): If i put the same command, i get an output "Must specify either a domain or project ", is the last command right?
If i put openstack role --user demo@somecorp.com --domain default admin, I get: No user with a name or ID of 'demo@somecorp.com' exists.
if i put openstack role --user demo@somecorp.com --project lab admin, i also get: No user with a name or ID of 'demo@somecorp.com' exists.
Although when i put openstack user list --domain default, I see the user "demo@somecorp.com" listed there.
Any ideas?
".cloudadmin_v3.rc" doesn't exist in our install either (doesn't the dot prefix mean its hidden file?). I used just cloudadmin.rc to perform the steps as defined above and it seems to be working, however I am having some issues with the filtering of AD groups so the queiries are not optimal as I'd like and a couple of the commands are lacking syntax but that's identified in the subsequent posts I won't bother to go over them again.
Hii,
thanks, i have an other problem i can import just 100 users not more !!!!! i don't understand why
for information i have more than 100 users
any suggestion !! ??