DevStack LDAP plugin — Part 1
As promised my second post will be about my first task as an Outreachy intern. The project I am part of is about adding functional tests for a scenario where Keystone, OpenStack Identity Service, is running with LDAP as identity backend. On that scenario LDAP is the backend for one of the domains storing Keystone users.
LDAP stands for Lightweight Directory Access Control, it is a data access protocol to interact with data contained in directory servers.
In order to get familiar with OpenStack, keystone and LDAP, the usual initial step is to use LDAP as identity backend on DevStack. DevStack is a script that creates an OpenStack development environment and it is used to demonstrate interaction with OpenStack services. The only problem was that the LDAP plugin was broken, no one could automatically use an LDAP backend on DevStack. And there it was, my first task.
Fixing the LDAP plugin in DevStack
After lots of research & re-runs of DevStack, it became clear that the main issue was that when using Ubuntu the directory server was not being started. So all of the interactions with the server that were scheduled on the script could not happen and exited execution with an error.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: No such object (32)
matched DN: cn=config
modifying entry "olcDatabase={1}hdb,cn=config"
+lib/ldap:install_ldap:1 exit_trap
Error on exitDevStack uses OpenLDAP slapd as directory server, and the LDAP plugin script assumed that slapd was already running on Ubuntu, so it didn’t try to start it again.
function install_ldap { ... printf "installing OpenLDAP" if is_ubuntu; then # Ubuntu automatically starts LDAP so no need to call start_ldap() : ...
}
As it turned out that the slapd service was not running and it also needed to be configured. The configuration looks something like this:
sudo debconf-set-selections <<EOF slapd slapd/internal/generated_adminpw password <password> slapd slapd/internal/adminpw password <password> slapd slapd/password2 password <password> slapd slapd/password1 password <password> slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION slapd slapd/domain string <keystone_domain> slapd shared/organization string <ldap_organization_domain> slapd slapd/backend string HDB slapd slapd/purge_database boolean true slapd slapd/move_old_database boolean true slapd slapd/allow_ldap_v2 boolean false slapd slapd/no_configuration boolean false slapd slapd/dump_database select when neededEOF sudo apt-get install -y slapd ldap-utils sudo dpkg-reconfigure -f noninteractive slapd
Setting those variables, installing and configuring those services should be enough to get slapd up and running. To check the status of the slapd service execute the following command on the command line.
sudo service slapd statusAfter configuring the slapd service on Ubuntu the DevStack LDAP plugin was able to access the directory server and add entries to it. This means that by that point there should be an LDAP service and a Keystone service running. The next thing to do is to integrate those two services and have a Keystone domain accessing LDAP to retrieve its user’s information.
