keystone ldap #31

Supports: xenial bionic eoan focal trusty groovy


Keystone v3 deployments support the use of domain specific identity drivers, allowing different types of authentication backend to be deployed in a single Keystone deployment. . This charm supports use of LDAP or Active Directory domain backends, with configuration details provided by charm configuration options.


This subordinate charm provides a LDAP domain backend for integrating a Keystone v3 deployment with an external LDAP based authentication system.


Use this charm with the Keystone charm, running with preferred-api-version=3:

juju deploy keystone
juju config keystone preferred-api-version=3
juju deploy keystone-ldap
juju add-relation keystone-ldap keystone

Configuration Options

LDAP configuration is provided to this charm via configuration options:

juju config keystone-ldap ldap-server="ldap://" \
            ldap-user="cn=admin,dc=test,dc=com" \
            ldap-password="password" \

By default, the name of the application ('keystone-ldap') is the name of the domain for which a domain specific configuration will be configured; you can change this using the domain-name option:

juju config keystone-ldap domain-name="myorganisationname"

The keystone charm will automatically create a domain to support the backend once deployed.

LDAP configurations can be quite complex. The ldap-config-flags configuration option provides the mechanism to pass arbitrary configuration options to keystone in order to handle any given LDAP backend's specific requirements.

For very simple LDAP configurations a string of comma delimited key=value pairs can be used:

juju config keystone-ldap \

For more complex configurations such as working with Active Directory use a configuration yaml file.

juju config keystone-ldap --file flags-config.yaml

Where flags-config.yaml has the contents similar to the following. The ldap-config-flags value uses a json like string for the key value pairs:

keystone-ldap: ldap-config-flags: "{ user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)', query_scope: sub, user_objectclass: person, user_name_attribute: sAMAccountName, user_id_attribute: sAMAccountName, user_mail_attribute: mail, user_enabled_attribute: userAccountControl, user_enabled_mask: 2, user_enabled_default: 512, user_attribute_ignore: 'password,tenant_id,tenants', user_allow_create: False, user_allow_update: False, user_allow_delete: False, }"

Note: The double quotes and braces around the whole string. And single quotes around the individual complex values.


Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.


(string) Name of the keystone domain to configure; defaults to the deployed application name.
(string) Additional LDAP configuration options. For simple configurations use a comma separated string of key=value pairs. "user_allow_create=False, user_allow_update=False, user_allow_delete=False" For more complex configurations use a json like string with double quotes and braces around all the options and single quotes around complex values. "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_allow_create: False, user_allow_delete: False}" See the README for more details.
(string) Password of the LDAP identity server.
(boolean) LDAP identity server backend readonly to keystone.
(string) LDAP server URL for keystone LDAP identity backend. Examples: ldap:// ldaps:// ldap://,ldaps:// Usage of ldap:// urls with tls_ca_ldap option specified or certificates relation presence will result in mandatory StartTLS usage.
(string) LDAP server suffix to be used by keystone.
(string) Username (Distinguished Name) used to bind to LDAP identity server. . Example: cn=admin,dc=test,dc=com
(string) This option controls which certificate (or a chain) will be used to connect to an ldap server(s) over TLS. Certificate contents should be either used directly or included via include-file:// An LDAP url should also be considered as ldaps and StartTLS are both valid methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which, of course, still requires a CA certificate.