红帽全球峰会此内容没有您所选择的语言版本。
Chapter 2. Configure Red Hat Identity Management
In this example, IdM is situated externally to the OpenStack Red Hat OpenStack Platform director deployment and is the source of all user and group information. RH-SSO will be configured to use IdM as its User Federation, and will then perform LDAP searches against IdM to obtain user and group information.
2.1. Create the IdM Service Account for RH-SSO
Although IdM allows anonymous binds, some information is withheld for security reasons. Some of this information withheld during anonymous binds is essential for RH-SSO user federation; consequently, RH-SSO will need to bind to the IdM LDAP server with enough privileges to successfully query the required information. As a result, you will need to create a dedicated service account for RH-SSO in IdM. IdM does not natively provide a command to do this, but you can use the ldapmodify command. For example:
You can use the configure-federation script to perform the above step:
./configure-federation create-ipa-service-account
$ ./configure-federation create-ipa-service-account2.2. Create a test user
You will also need a test user account in IdM. You can either use an existing user or create a new one; the examples in this guide use "John Doe" with a uid of jdoe. You can create the jdoe user in IdM:
ipa user-add --first John --last Doe --email jdoe@example.com jdoe
$ ipa user-add --first John --last Doe --email jdoe@example.com jdoeAssign a password to the user:
ipa passwd jdoe
$ ipa passwd jdoe2.3. Create an IdM group for OpenStack Users
Create the openstack-users group in IdM.
Make sure the
openstack-usersgroup does not already exist:ipa group-show openstack-users
$ ipa group-show openstack-users ipa: ERROR: openstack-users: group not foundCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the
openstack-usersgroup to IdM:ipa group-add openstack-users
$ ipa group-add openstack-usersCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add the test user to the
openstack-usersgroup:ipa group-add-member --users jdoe openstack-users
$ ipa group-add-member --users jdoe openstack-usersCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that the
openstack-usersgroup exists and has the test user as a member:ipa group-show openstack-users
$ ipa group-show openstack-users Group name: openstack-users GID: 331400001 Member users: jdoeCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}