Keystone with Active Directory and Multiple OU lookup

Generally the Active Directory deployments are very large and properly organised under multiple Organizational Units(OU).  OUs can be based on Department, Functioning groups etc.

Following diagram depict the sample AD environment with multiple OU.

Screenshot from 2015-11-27 22:06:42

One can configure the AD with Keystone using ldap identity provider so that users from AD are visible on Keystone.

In current keystone ldap provider there is no mechanism of providing two or more OUs. For Example today if one want to use only user from OU=Comp and OU=Admin for keystone he has to provide user OU as dc=myuniv,dc=com ie root of AD. Because of this all users from all OUs will be visible to keystone. Currently providing multiple OUs in keystone configuration in not in plan.

However one can limit the number of users visible to keystone using following two mechanisms from Active Directory.

  1. Update attribute of all users those users should be visible to keystone and update the
    For example I chose ‘description’ attribute of user on Active Directory and updated the this attribute of all user those should be visible to keystone with description=OBJECT_USERRun following on spectrum scale cluster to update the filter
    mmobj config change –ccrfile keystone.conf –section ldap –property user_filter –value ‘(description=OBJECT_USER)’
  2. Another approach apply ACL on bind user such that only required OU’s will be visible to keystone.In this deny full acl need to be added for bind user on all OU except the OU’s from which users will be visible to keystone.

    For example in my setup I dont want user from OU=org1. testuser1 is binduser hence i added  deny acl for testuser1 on OU=org1.
    Deny
    Now keystone will list all users expect users from OU=org1.

    “These are my personal views and do not necessarily reflect that of my employer”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s