Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 8. Identity management with LDAP

If you have configured the Identity service (keystone) to authenticate against or to retrieve identity information from an LDAP server, you can secure LDAP communication for the Identity service by using a CA certificate.

You must obtain the CA certificate from Active Directory, convert the CA certificate file into Privacy Enhanced Mail (PEM) file format, and configure secure LDAP communication for the Identity service. You can perform this configuration with one of three methods, depending on where and how the CA trust is configured.

8.1. Obtaining the CA certificate from Active Directory
Link kopieren

Use the following example code to query Active Directory to obtain the CA certificate. The CA_NAME is the name of the certificate and the rest of the parameters can be changed according to your configuration: 

CA_NAME="WIN2012DOM-WIN2012-CA"
AD_SUFFIX="dc=win2012dom,dc=com" LDAPURL="ldap://win2012.win2012dom.com"
ADMIN_DN="cn=Administrator,cn=Users,$AD_SUFFIX"
ADMINPASSWORD="MyPassword"

CA_CERT_DN="cn=latexmath:[$CA_NAME,cn=certification authorities,cn=public key services,cn=services,cn=configuration,$]AD_SUFFIX"

TMP_CACERT=/tmp/cacert.`date +'%Y%m%d%H%M%S'`.$$.pem

ldapsearch -xLLL -H
latexmath:[$LDAPURL -D `echo \"$]ADMIN_DN"`-W -s base -b`echo
"$CA_CERT_DN"` objectclass=* cACertificate
Copy to Clipboard Toggle word wrap

8.2. Converting the CA certificate into PEM format
Link kopieren

Before you can configure LDAP in the Identity service (keystone), you must convert the CA certificate to PEM format.

Procedure

  1. Create a file called /path/cacert.pem and include the contents of the LDAP query — that obtained the CA certificate from Active Directory, within the header and footer: 

    -----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB... -----END
CERTIFICATE-----
    Copy to Clipboard Toggle word wrap

  2. For troubleshooting, you can execute the following query to check if LDAP is working, and to ensure that the PEM certificate file was created correctly. 

    LDAPTLS_CACERT=/path/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -s base -b "" "objectclass=*" currenttime
    Copy to Clipboard Toggle word wrap

    The query should return a result similar to: 

    dn: currentTime:
20141022050611.0Z
    Copy to Clipboard Toggle word wrap

  3. Run the following command to get a CA certificate if it was hosted by a web server.

    • $HOST=redhat.com

    • $PORT=443 

      # echo Q | openssl s_client -connect $HOST:$PORT | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p'
      Copy to Clipboard Toggle word wrap

8.3. Configuring secure LDAP communication for the Identity service
Link kopieren

Use one of the following methods to configure LDAP for the Identity service (keystone).

Method 1

Use this method if the CA trust is configured at the LDAP level using a PEM file. Manually specify the location of a CA certificate file. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.

  1. Copy the file containing your CA certificate chain in PEM format to the /etc/openldap/certs directory.

  2. Edit /etc/openldap/ldap.conf and add the following directive, replacing [CA_FILE] with the location and name of the CA certificate file: 

    TLS_CACERT /etc/openldap/certs/[CA_FILE]
    Copy to Clipboard Toggle word wrap

  3. Restart the horizon container: 

    # systemctl restart tripleo_horizon
    Copy to Clipboard Toggle word wrap

Method 2

Use this method if the CA trust is configured at the LDAP library level using a Network Security Services (NSS) database. Use the certutil command to import and trust a CA certificate into the NSS certificate database used by the OpenLDAP libraries. The following procedure secures LDAP communication not only for the Identity service, but for all applications that use the OpenLDAP libraries.

  1. Import and trust the certificate, replacing [CA_FILE] with the location and name of the CA certificate file: 

    # certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
# certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i [CA_FILE]
    Copy to Clipboard Toggle word wrap

  2. Confirm the CA certificate was imported correctly: 

    # certutil -d /etc/openldap/certs -L
    Copy to Clipboard Toggle word wrap

    Your CA certificate is listed, and the trust attributes are set to CT,,.

  3. Restart the horizon container: 

    # systemctl restart tripleo_horizon
    Copy to Clipboard Toggle word wrap

Method 3

Use this method if the CA trust is configured at the Keystone level using a PEM file. The final method of securing communication between the Identity service and an LDAP server is to configure TLS for the Identity service.

However, unlike the two methods above, this method secures LDAP communication only for the Identity service and does not secure LDAP communication for other applications that use the OpenLDAP libraries. The following procedure uses the openstack-config command to edit values in the /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf file.

  1. Enable TLS: 

    # openstack-config --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf ldap use_tls True
    Copy to Clipboard Toggle word wrap

  2. Specify the location of the certificate, replacing [CA_FILE] with the name of the CA certificate: 

    # openstack-config --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf ldap tls_cacertfile [CA_FILE]
    Copy to Clipboard Toggle word wrap

  3. Specify the client certificate checks performed on incoming TLS sessions from the LDAP server, replacing [CERT_BEHAVIOR] with one of the behaviors listed below:

    demand
    a certificate will always be requested from the LDAP server. The session will be terminated if no certificate is provided, or if the certificate provided cannot be verified against the existing certificate authorities file.
    allow
    a certificate will always be requested from the LDAP server. The session will proceed as normal even if a certificate is not provided. If a certificate is provided but it cannot be verified against the existing certificate authorities file, the certificate will be ignored and the session will proceed as normal.
    never
    a certificate will never be requested. 
    # openstack-config --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf ldap tls_req_cert [CERT_BEHAVIOR]
    Copy to Clipboard Toggle word wrap

  4. Restart the keystone and horizon containers: 

    # systemctl restart tripleo_keystone
# systemctl restart tripleo_horizon
    Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat