keystone ldap #0

Supports: xenial bionic disco eoan trusty


Keystone v3 deployments support the use of domain specific identity drivers, allowing different types of authentication backend to be deployed in a single Keystone deployment. . This charm supports use of LDAP or Active Directory domain backends, with configuration details provided by charm configuration options.


This subordinate charm provides a LDAP domain backend for integrating a Keystone v3 deployment with an external LDAP based authentication system.


Use this charm with the Keystone charm, running with preferred-api-version=3:

juju deploy keystone
juju config keystone preferred-api-version=3
juju deploy keystone-ldap
juju add-relation keystone-ldap keystone

Configuration Options

LDAP configuration is provided to this charm via configuration options:

juju config keystone-ldap ldap-server="ldap://" \
            ldap-user="cn=admin,dc=test,dc=com" \
            ldap-password="password" \

By default, the name of the application ('keystone-ldap') is the name of the domain for which a domain specific configuration will be configured; you can change this using the domain-name option:

juju config keystone-ldap domain-name="myorganisationname"

The keystone charm will automatically create a domain to support the backend once deployed.

LDAP configurations can be quite complex. The ldap-config-flags configuration option provides the mechanism to pass arbitrary configuration options to keystone in order to handle any given LDAP backend's specific requirements.

For very simple LDAP configurations a string of comma delimited key=value pairs can be used:

juju config keystone-ldap \

For more complex configurations such as working with Active Directory use a configuration yaml file.

juju config keystone-ldap --file flags-config.yaml

Where flags-config.yaml has the contents similar to the following. The ldap-config-flags value uses a json like string for the key value pairs:

keystone-ldap: ldap-config-flags: "{ user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)', query_scope: sub, user_objectclass: person, user_name_attribute: sAMAccountName, user_id_attribute: sAMAccountName, user_mail_attribute: mail, user_enabled_attribute: userAccountControl, user_enabled_mask: 2, user_enabled_default: 512, user_attribute_ignore: 'password,tenant_id,tenants', user_allow_create: False, user_allow_update: False, user_allow_delete: False, }"

Note: The double quotes and braces around the whole string. And single quotes around the individual complex values.


Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.


(boolean) Enable debug logging
(string) Name of the keystone domain to configure; defaults to the deployed application name.
(boolean) This option controls whether kerberos authentication mechanis is enabled or not.
(string) Additional LDAP configuration options. For simple configurations use a comma separated string of key=value pairs. "user_allow_create=False, user_allow_update=False, user_allow_delete=False" For more complex configurations use a json like string with double quotes and braces around all the options and single quotes around complex values. "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_allow_create: False, user_allow_delete: False}" See the README for more details.
(string) Password of the LDAP identity server.
(boolean) LDAP identity server backend readonly to keystone.
(string) LDAP server URL for keystone LDAP identity backend. Examples: ldap:// ldaps:// ldap://,ldaps:// Usage of ldap:// urls with tls_ca_ldap option specified or certificates relation presence will result in mandatory StartTLS usage.
(string) LDAP server suffix to be used by keystone.
(string) Username (Distinguished Name) used to bind to LDAP identity server. . Example: cn=admin,dc=test,dc=com
(string) TLS CA to use to communicate with other components in a deployment. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
(string) TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
(string) TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
(string) This option controls which certificate (or a chain) will be used to connect to an ldap server(s) over TLS. Certificate contents should be either used directly or included via include-file:// An LDAP url should also be considered as ldaps and StartTLS are both valid methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which, of course, still requires a CA certificate.
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
(boolean) Setting this to True will allow supporting services to log to syslog.
(boolean) Enable verbose logging