keystone ldap #80

Supports: xenial bionic eoan focal trusty groovy
Add to new model


Keystone v3 deployments support the use of domain specific identity drivers, allowing different types of authentication backend to be deployed in a single Keystone deployment. . This charm supports use of LDAP or Active Directory domain backends, with configuration details provided by charm configuration options.


This subordinate charm provides a LDAP domain backend for integrating a Keystone v3 deployment with an external LDAP based authentication system.


Use this charm with the Keystone charm, running with preferred-api-version=3:

juju deploy keystone
juju config keystone preferred-api-version=3
juju deploy keystone-ldap
juju add-relation keystone-ldap keystone

Configuration Options

LDAP configuration is provided to this charm via configuration options:

juju config keystone-ldap ldap-server="ldap://" \
            ldap-user="cn=admin,dc=test,dc=com" \
            ldap-password="password" \

By default, the name of the application ('keystone-ldap') is the name of the domain for which a domain specific configuration will be configured; you can change this using the domain-name option:

juju config keystone-ldap domain-name="myorganisationname"

The keystone charm will automatically create a domain to support the backend once deployed.

LDAP configurations can be quite complex. The ldap-config-flags configuration option provides the mechanism to pass arbitrary configuration options to keystone in order to handle any given LDAP backend's specific requirements.

For very simple LDAP configurations a string of comma delimited key=value pairs can be used:

juju config keystone-ldap \

For more complex configurations such as working with Active Directory use a configuration yaml file.

juju config keystone-ldap --file flags-config.yaml

Where flags-config.yaml has the contents similar to the following. The ldap-config-flags value uses a json like string for the key value pairs:

keystone-ldap: ldap-config-flags: "{ user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)', query_scope: sub, user_objectclass: person, user_name_attribute: sAMAccountName, user_id_attribute: sAMAccountName, user_mail_attribute: mail, user_enabled_attribute: userAccountControl, user_enabled_mask: 2, user_enabled_default: 512, user_attribute_ignore: 'password,tenant_id,tenants', user_allow_create: False, user_allow_update: False, user_allow_delete: False, }"

Note: The double quotes and braces around the whole string. And single quotes around the individual complex values.

Please refer to the OpenStack docs at Keystone and LDAP integration page for more information on how to set up the config options and at Keystone LDAP config options reference for more information on their default values.


Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.


(string) Name of the keystone domain to configure; defaults to the deployed application name.
(string) Additional LDAP configuration options. For simple configurations use a comma separated string of key=value pairs. "user_allow_create=False, user_allow_update=False, user_allow_delete=False" For more complex configurations use a json like string with double quotes and braces around all the options and single quotes around complex values. "{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com', user_allow_create: False, user_allow_delete: False}" See the README for more details. Note: The explicitly defined ldap-* charm config options take precedence over the same LDAP config option also specified in ldap-config-flags. For example, if the LDAP config query_scope is defined in ldap-query-scope as 'one' and in ldap-config-flags as "{query_scope: 'sub'}" then the config query_scope is set to 'one'.
(string) This option sets the LDAP attribute mapped to group IDs in keystone.
(string) This option sets the LDAP attribute that indicates user is a member of the group.
(boolean) Enable this option if the members of group object class are keystone user IDs rather than LDAP DNs.
(string) This option sets the LDAP attribute mapped to group names in keystone.
(string) This option sets the LDAP object class for groups.
(string) This option sets the search base to use for the groups.
(string) Password of the LDAP identity server.
(int) The connection timeout to use when pooling LDAP connections. A value of -1 means the connection will never timeout.
(int) This option allows to set the maximum number of retry attempts to connect to LDAP server before aborting.
(int) This option sets the size of LDAP connection pool.
(string) This option controls the scope level of data presented through LDAP.
(boolean) LDAP identity server backend readonly to keystone.
(string) LDAP server URL for keystone LDAP identity backend. Examples: ldap:// ldaps:// ldap://,ldaps:// Usage of ldap:// urls with tls_ca_ldap option specified or certificates relation presence will result in mandatory StartTLS usage.
(string) LDAP server suffix to be used by keystone.
(boolean) This option enables LDAP connection pooling.
(string) Username (Distinguished Name) used to bind to LDAP identity server. . Example: cn=admin,dc=test,dc=com
(string) This option sets the LDAP attribute mapped to the user enabled attribute in keystone.
(string) The default value to enable users. The LDAP servers can use boolean or bit in the user enabled attribute to indicate if a user is enabled or disabled. If boolean is used by the ldap schema, then the appropriate value for this option is 'True' or 'False'. If bit is used by the ldap schema, this option should match an appropriate integer value based on ldap-user-enabled-mask. Please note the integer value should be specified as a string in quotes. This option is typically used when ldap-user-enabled-attribute is set to 'userAccountControl'. Example: Configuration options to use for ldap schema with userAccountControl as control attribute, uses bit 1 in control attribute to indicate enablement. ldap-user-enabled-attribute = "userAccountControl" ldap-user-enabled-mask = 2 ldap-user-enabled-default = "512" ldap-user-enabled-default should be set to integer value that represents a user being enabled. For Active Directory, 512 represents Normal Account. For more information on how to set up those config options, please refer to the OpenStack docs on Keystone and LDAP integration at
(boolean) If enabled, keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the group defined by the ldap-user-enabled_emulation-dn option.
(string) DN of the group entry to hold enabled users when using enabled emulation. Setting this option has no effect when ldap-user-enabled-emulation is False.
(boolean) Setting this option to True allows LDAP servers to use lock attributes. This option has no effect when ldap-user-enabled-mask or ldap-user-enabled-emulation are in use.
(int) Bitmask integer to select which bit indicates the enabled value if the LDAP server represents enabled as a bit on an integer rather than as a discrete boolean. If the option is set to 0, the mask is not used. This option is typically used when ldap-user-enabled-attribute is set to 'userAccessControl'.
(string) This option sets the LDAP search filter to use for the users.
(string) This option sets the LDAP attribute mapped to User IDs in keystone.
(string) This option sets the LDAP attribute mapped to User names in keystone.
(string) This option sets the LDAP object class for users.
(string) This option sets the search base to use for the users.
(string) This option controls which certificate (or a chain) will be used to connect to an ldap server(s) over TLS. Certificate contents should be either used directly or included via include-file:// An LDAP url should also be considered as ldaps and StartTLS are both valid methods of using TLS (see RFC 4513) with StartTLS using a non-ldaps url which, of course, still requires a CA certificate.