OpenStack Active Directory Integration – My Icehouse LDAP Objects

I just configured my OpenStack Icehouse deployment to use Active Directory authentication. This is the list of LDAP objects that I created.

#this is the admin project
dn: OU=admin,OU=Projects,OU=OpenStack,DC=mydomain,DC=net

#this is the admin project's admin role occupants
dn: CN=admin,OU=admin,OU=Projects,OU=OpenStack,DC=mydomain,DC=net
roleOccupant: CN=admin,CN=Users,DC=mydomain,DC=net

#this is the admin project's members
dn: CN=adminMembers,OU=admin,OU=Projects,OU=OpenStack,DC=mydomain,DC=net
objectClass: groupOfNames
member: CN=admin,CN=Users,DC=mydomain,DC=net

#this is the service project
dn: OU=service,OU=Projects,OU=OpenStack,DC=mydomain,DC=net

#this is the service project's members
dn: CN=serviceMembers,OU=service,OU=Projects,OU=OpenStack,DC=mydomain,DC=net
objectClass: groupOfNames
member: CN=swift,CN=Users,DC=mydomain,DC=net
member: CN=cinder,CN=Users,DC=mydomain,DC=net
member: CN=nova,CN=Users,DC=mydomain,DC=net
member: CN=glance,CN=Users,DC=mydomain,DC=net

#this is the service project's admin role occupants
dn: CN=admin,OU=service,OU=Projects,OU=OpenStack,DC=mydomain,DC=net
objectClass: organizationalRole
roleOccupant: CN=swift,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=cinder,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=nova,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=glance,CN=Users,DC=mydomain,DC=net

#this is the demo project
dn: OU=demo,OU=Projects,OU=OpenStack,DC=mydomain,DC=net

#this is the demo project's member role occupants
dn: CN=member,OU=demo,OU=Projects,OU=OpenStack,DC=mydomain,DC=net
objectClass: organizationalRole
roleOccupant: CN=demo,CN=Users,DC=mydomain,DC=net

#this is the demo project's members
dn: CN=demoMembers,OU=demo,OU=Projects,OU=OpenStack,DC=mydomain,DC=net
objectClass: groupOfNames
member: CN=demo,CN=Users,DC=mydomain,DC=net


# these are the global roles
dn: OU=Roles,OU=OpenStack,DC=mydomain,DC=net

# the admin role
dn: CN=admin,OU=Roles,OU=OpenStack,DC=mydomain,DC=net
objectClass: organizationalRole
roleOccupant: CN=swift,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=cinder,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=nova,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=glance,CN=Users,DC=mydomain,DC=net
roleOccupant: CN=admin,CN=Users,DC=mydomain,DC=net

# the regular user role
dn: CN=Member,OU=Roles,OU=OpenStack,DC=mydomain,DC=net
changetype: add
objectClass: top
objectClass: organizationalRole
roleOccupant: CN=demo,CN=Users,DC=mydomain,DC=net

2 thoughts on “OpenStack Active Directory Integration – My Icehouse LDAP Objects

  1. Richard Kellner

    We are using your articles to configure OpenStack for AD. From the discussion, ‘Users’ appears to be an OU container, but the DN syntax for user objects appears otherwise. For instance, should a user DN be ‘CN=admin,CN=Users,DC=mydomain,DC=net’ or ‘CN=admin,OU=Users,DC=mydomain,DC=net’?

    Reply
    1. Brian Seltzer Post author

      Correct. Users is not an organizational unit, it is a container. Not sure why Microsoft made that distinction. There are several built-in containers that are not OUs. They are easy to spot in the AD GUI, they don’t have the OU icon, just a plain folder icon. The DN component for these is CN=name instead of OU=name.

      Reply

Leave a Reply