openstack/openstack-manuals
Code Issues Proposed changes

Document LDAP-keystone hardening

Browse Source 
Added instructions on how to secure the connection between the
keystone host and LDAP server. This patch also includes some edits to
the instructions for setting up Assignments, among them is
splitting it off to a different XML file (for easier management).

Change-Id: I63c19bc034d52efd9e7235c14cd3f0d78d5ae275
Closes-Bug: #1290605
This commit is contained in:
Don Domingo 2014-03-17 12:24:36 +10:00
parent fc5ea3a529
commit a3165ca60c
3 changed files with 146 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
doc/common/section_keystone_config_ldap-assignments.xml Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="configuring-keystone-for-ldap-backend-assignments">
<title>Separate role authorization and user authentication</title>
<para>When you configure the Identity service to use an LDAP back
end, you can split authentication and authorization using the
<emphasis>Assignments</emphasis> feature.</para>
<para>The Assignments feature enables administrators to manage
project role authorization using the Identity service's own SQL
database, while still providing user authentication through the
LDAP directory.</para>
<para>To configure this:</para>
<procedure>
<title>Separating role authorization and user authentication
through Assignments</title>
<step>
<para>Configure the Identity service to authenticate users
through the LDAP driver. To do so, first find the
<literal>[identity]</literal> section in the
<filename>/etc/keystone/keystone.conf</filename> configuration
file. Then, set the <literal>driver</literal> configuration
key in that section to
<literal>keystone.identity.backends.ldap.Identity</literal>:
</para>
<programlisting>[identity]
driver = keystone.identity.backends.ldap.Identity</programlisting>
</step>
<step><para>Next, enable the Assignment driver. To do so, find the
<literal>[assignment]</literal> section in the
<filename>/etc/keystone/keystone.conf</filename> configuration
file. Then, set the <literal>driver</literal> configuration key in
that section to
<literal>keystone.assignment.backends.sql.Assignment</literal>:
</para>
<programlisting>[assignment]
driver = keystone.assignment.backends.sql.Assignment</programlisting>
</step>
</procedure>
<para os="rhel;centos;fedora;opensuse;sles">On
distributions that include
<application>openstack-config</application>, you can
configure both drivers by running the following commands instead:
</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
identity driver keystone.identity.backends.ldap.Identity</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
assignment driver keystone.assignment.backends.sql.Assignment</userinput></screen>
</section>

94
doc/common/section_keystone_config_ldap-hardening.xml Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="configuring-keystone-for-ldap-backend-harden">
<title>Secure the OpenStack Identity service connection to an
LDAP back end</title>
<para>The Identity service supports the use of TLS to encrypt LDAP
traffic. Before configuring this, you must first verify where your
certificate authority file is located. For more information, see
<xref linkend="certificates-for-pki"/>.</para>
<para>Once you verify the location of your certificate authority
file:</para>
<procedure>
<title>Configuring TLS encryption on LDAP traffic</title>
<step>
<para>Open the
<filename>/etc/keystone/keystone.conf</filename> configuration
file.
</para>
</step>
<step>
<para>Find the <literal>[ldap]</literal> section.</para>
</step>
<step>
<para>In the <literal>[ldap]</literal> section, set the
<literal>use_tls</literal> configuration key to
<literal>True</literal>. Doing so will enable TLS.</para>
</step>
<step>
<para>Configure the Identity service to use your certificate
authorities file. To do so, set the
<literal>tls_cacertfile</literal> configuration key in the
<literal>ldap</literal> section to the certificate authorities
file's path.
</para>
<note><para>You can also set the <literal>tls_cacertdir</literal>
(also in the <literal>ldap</literal> section) to the directory
where all certificate authorities files are kept. If both
<literal>tls_cacertfile</literal> and
<literal>tls_cacertdir</literal> are set, then the latter will
be ignored.
</para></note>
</step>
<step>
<para>Specify what client certificate checks to perform on
incoming TLS sessions from the LDAP server. To do so, set the
<literal>tls_req_cert</literal> configuration key in the
<literal>[ldap]</literal> section to <literal>demand</literal>,
<literal>allow</literal>, or <literal>never</literal>:
</para>
<itemizedlist>
<listitem><para><parameter>demand</parameter>: a
certificate will always be requested from the LDAP server.
The session will be terminated if no certificate is
provided, or if the certificate provided cannot be
verified against the existing certificate authorities
file.
</para></listitem>
<listitem><para><parameter>allow</parameter>: a
certificate will always be requested from the LDAP server.
The session will proceed as normal even if a certificate
is not provided. If a certificate is provided but it
cannot be verified against the existing certificate
authorities file, the certificate will be ignored and the
session will proceed as normal.</para></listitem>
<listitem><para><parameter>never</parameter>: a
certificate will never be requested.</para></listitem>
</itemizedlist>
</step>
</procedure>
<para os="rhel;centos;fedora;opensuse;sles">On distributions that
include <application>openstack-config</application>, you can
configure TLS encryption on LDAP traffic by running the following
commands instead:
</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack --config --set /etc/keystone/keystone.conf \
ldap use_tls True</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
ldap tls_cacertfile <replaceable>CA_FILE</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
ldap tls_req_cert <replaceable>CERT_BEHAVIOR</replaceable></userinput></screen>
<para>Where:</para>
<itemizedlist>
<listitem><para><replaceable>CA_FILE</replaceable>
is the absolute path to the certificate authorities file that
should be used to encrypt LDAP traffic.</para></listitem>
<listitem><para><replaceable>CERT_BEHAVIOR</replaceable>:
specifies what client certificate checks to perform on an
incoming TLS session from the LDAP server
(<literal>demand</literal>, <literal>allow</literal>, or
<literal>never</literal>).</para></listitem>
</itemizedlist>
</section>

20
doc/common/section_keystone_config_ldap.xml
View File

@ -129,22 +129,6 @@ role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =</programlisting>
<simplesect>
<title>Assignment</title>
<para>The Assignment feature allows a combination of LDAP and SQL
for Identity Service authentication and authorization.
Consequently, the LDAP directory authenticates users and the
Identity Service SQL back end authorizes their access to projects
and roles.</para>
<para>Enable the Assignment driver in the
<filename>keystone.conf</filename> file alongside the LDAP
driver:</para>
<para>
<programlisting language="ini">[identity]
driver = keystone.identity.backends.ldap.Identity
[assignment]
driver = keystone.assignment.backends.sql.Assignment</programlisting>
</para>
</simplesect>
<xi:include href="section_keystone_config_ldap-assignments.xml"/>
<xi:include href="section_keystone_config_ldap-hardening.xml"/>
</section>