3.1. Integrating Virtuozzo PowerPanel with a LDAP Database¶
This chapter describes how to integrate the Virtuozzo PowerPanel controller with an existing LDAP database (on the example of OpenLDAP).
Note
If your LDAP setup differs from this example, more configuration details are available here.
The following prerequisites need to be met prior to LDAP setup:
Virtuozzo PowerPanel must be deployed.
For remote LDAP, firewall must be disabled or necessary rules must be added.
To set up LDAP, do the following:
Decide on how to map LDAP attributes to Keystone user names and IDs. For example, assign names to the
snparameters, IDs tocnparameters.In your LDAP database, create the
vzapiandadminusers.Find out the IDs and names of users
adminandvzapiin the Keystone database on the controller. For example:# openstack --os-cloud local user show admin <...> | id | 86921a8ec6a5497895ca07c5d6b738af | <...> # openstack --os-cloud local user show vzapi <...> | id | d8e4a93d60954c92b4239981c6c40707 | <...>
Generate password hashes for the users
adminandvzapi. Use controller admin’s password foradmin. Use the password in the[keystone_authtoken]section of/etc/vzapi/vzapi.confforvzapi. For example:# slappasswd New password: <controller_admin_passwd> Re-enter new password: <controller_admin_passwd> {SSHA}E2qhe244kX8r+stFOb6mX2bfHYSpygTk # slappasswd New password: <vzapi_passwd> Re-enter new password: <vzapi_passwd> {SSHA}wBjzhGnmHl3hT9mZja9GLytOXBU4qHcSCreate the file
users.ldifwith the contents shown further. Specify the IDs of usersadminandvzapiin thecnparameters, their password hashes in theuserPasswordparameters, and your domain name in thedcparameters. For example:dn: cn=d8e4a93d60954c92b4239981c6c40707,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com objectClass: person cn: d8e4a93d60954c92b4239981c6c40707 sn: vzapi userPassword: {SSHA}E2qhe244kX8r+stFOb6mX2bfHYSpygTk dn: cn=86921a8ec6a5497895ca07c5d6b738af,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com objectClass: person cn: 86921a8ec6a5497895ca07c5d6b738af sn: admin userPassword: {SSHA}wBjzhGnmHl3hT9mZja9GLytOXBU4qHcSWhere
<PP_users_OU>is the organizational unit with the list of users that need to be available in Virtuozzo PowerPanel.Add the corresponding entry to the LDAP database:
# ldapadd -x -D cn=Manager,dc=ctrl,dc=example,dc=com -W -f users.ldif Enter LDAP Password: adding new entry "cn=d8e4a93d60954c92b4239981c6c40707,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com" adding new entry "cn=86921a8ec6a5497895ca07c5d6b738af,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com"
On the controller node, edit
/etc/keystone/keystone.confaccording to your needs. You may need to do the following:Specify LDAP server information. For example:
[ldap] url = ldap://<ldap_server_address> user = cn=Manager,dc=ctrl,dc=example,dc=com password = <ldap_admin_password> suffix = dc=ctrl,dc=example,dc=com
Specify the organizational units (OU) in the LDAP directory with information about users that will be managed in Virtuozzo PowerPanel. For example:
[ldap] user_tree_dn = ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com user_objectclass = person
Switch to the LDAP identity driver:
[identity] #driver = sql driver = ldap
On the controller node, restart the Apache HTTP Server:
# systemctl restart httpd
On the controller node, create Keystone projects with names that match corresponding user names:
# vzapi user sync
This command needs to be run after creating or deleting users. It does not need to be run after editing user attributes or changing their passwords.
Note
If MFA is enabled, replace
vzapi <cmd>withvzapi --os-cloud local-credential <cmd>. For more details, see Managing Multi-Factor Authentication.On the controller node, make sure that Keystone sees LDAP users:
# openstack --os-cloud local user list
On the controller node, make sure that a project has been created for each user on step 5:
# openstack --os-cloud local project list
You should see a list of projects with names that match corresponding user names.