Search

Chapter 2. Configuring Red Hat Identity management

download PDF

You can configure Red Hat OpenStack Platform with federated user management with the following features:

  • Red Hat Identity Management (IdM) is external to Red Hat OpenStack Platform
  • Red Hat IdM is the source of all user and group information
  • Red Hat Single Signon (RH-SSO) is configured to use Red Hat IdM for user Federation

2.1. Creating the IdM service account for RH-SSO

If you use anonomous binds, some information that is essential for Red Hat Single Sign-On (RH-SSO) is withheld for security reasons. As a result, you need provide the appropriate privileges for RH-SSO in the forma a dedicated account to query the IdM LDAP server for this information:

LDAP_URL="ldaps://$FED_IPA_HOST"
DIR_MGR_DN="cn=Directory Manager"
SERVICE_NAME="rhsso"
SERVICE_DN="uid=$service_name,cn=sysaccounts,cn=etc,$FED_IPA_BASE_DN"

$ ldapmodify -H "${LDAP_URL}" -x -D "${DIR_MGR_DN}" -w <_FED_IPA_ADMIN_PASSWD_> <<EOF
dn: ${SERVICE_DN}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: ${SERVICE_NAME}
userPassword: <_FED_IPA_RHSSO_SERVICE_PASSWD_>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
EOF
Note

You can use the configure-federation script to perform the above step: $ ./configure-federation create-ipa-service-account

2.2. Creating a test user

Create a user account in IdM for testing:

Procedure

  1. Create a user jdoe in IdM:

    $ipa user-add --first John --last Doe --email jdoe@example.com jdoe
  2. Assign a password to the user:

    $ipa passwd jdoe

2.3. Creating an IdM group for OpenStack users

You must have an IdM group openstack-users to map to the Keystone group federated_users. Map the test user to this group.

Create the openstack-users group in Red Hat Identity Management (IdM):

Procedure

  1. Ensure that the openstack-users group does not exist:

    $ ipa group-show openstack-users
    ipa: ERROR: openstack-users: group not found
  2. Add the openstack-users group to IdM:

    ipa group-add openstack-users
  3. Add the test users to the openstack-users group:

    ipa group-add-member --users jdoe openstack-users
  4. Verify that the openstack-users group exists and has the test user as a member:

    $ ipa group-show openstack-users
      Group name: openstack-users
      GID: 331400001
      Member users: jdoe
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.