DevStack LDAP plugin — Part 1

As promised my second post will be about my first task as an Outreachy intern. The project I am part of is about adding functional tests for a scenario where Keystone, OpenStack Identity Service, is running with LDAP as identity backend. On that scenario LDAP is the backend for one of the domains storing Keystone users.

LDAP stands for Lightweight Directory Access Control, it is a data access protocol to interact with data contained in directory servers.

In order to get familiar with OpenStack, keystone and LDAP, the usual initial step is to use LDAP as identity backend on DevStack. DevStack is a script that creates an OpenStack development environment and it is used to demonstrate interaction with OpenStack services. The only problem was that the LDAP plugin was broken, no one could automatically use an LDAP backend on DevStack. And there it was, my first task.

Fixing the LDAP plugin in DevStack

After lots of research & re-runs of DevStack, it became clear that the main issue was that when using Ubuntu the directory server was not being started. So all of the interactions with the server that were scheduled on the script could not happen and exited execution with an error.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
ldap_modify: No such object (32)
matched DN: cn=config
modifying entry "olcDatabase={1}hdb,cn=config"

+lib/ldap:install_ldap:1 exit_trap
Error on exit

DevStack uses OpenLDAP slapd as directory server, and the LDAP plugin script assumed that slapd was already running on Ubuntu, so it didn’t try to start it again.

function install_ldap {
    printf "installing OpenLDAP"
    if is_ubuntu; then
        # Ubuntu automatically starts LDAP so no need to call start_ldap()

As it turned out that the slapd service was not running and it also needed to be configured. The configuration looks something like this:

sudo debconf-set-selections <<EOF
    slapd slapd/internal/generated_adminpw password <password>
    slapd slapd/internal/adminpw password <password>
    slapd slapd/password2 password <password>
    slapd slapd/password1 password <password>
    slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
    slapd slapd/domain string <keystone_domain>
    slapd shared/organization string <ldap_organization_domain>
    slapd slapd/backend string HDB
    slapd slapd/purge_database boolean true
    slapd slapd/move_old_database boolean true
    slapd slapd/allow_ldap_v2 boolean false
    slapd slapd/no_configuration boolean false
    slapd slapd/dump_database select when needed
    sudo apt-get install -y slapd ldap-utils
    sudo dpkg-reconfigure -f noninteractive slapd

Setting those variables, installing and configuring those services should be enough to get slapd up and running. To check the status of the slapd service execute the following command on the command line.

sudo service slapd status

After configuring the slapd service on Ubuntu the DevStack LDAP plugin was able to access the directory server and add entries to it. This means that by that point there should be an LDAP service and a Keystone service running. The next thing to do is to integrate those two services and have a Keystone domain accessing LDAP to retrieve its user’s information.

A few useful links: