3.1. Integrating Virtuozzo PowerPanel with a LDAP Database

This chapter describes how to integrate the Virtuozzo PowerPanel controller with an existing LDAP database (on the example of OpenLDAP).


If your LDAP setup differs from this example, more configuration details are available here.

The following prerequisites need to be met prior to LDAP setup:

  1. Virtuozzo PowerPanel must be deployed.

  2. For remote LDAP, firewall must be disabled or necessary rules must be added.

To set up LDAP, do the following:

  1. Decide on how to map LDAP attributes to Keystone user names and IDs. For example, assign names to the sn parameters, IDs to cn parameters.

  2. In your LDAP database, create the vzapi and admin users.

    1. Find out the IDs and names of users admin and vzapi in the Keystone database on the controller. For example:

      # openstack --os-cloud local user show admin
      | id                  | 86921a8ec6a5497895ca07c5d6b738af |
      # openstack --os-cloud local user show vzapi
      | id                  | d8e4a93d60954c92b4239981c6c40707 |
    2. Generate password hashes for the users admin and vzapi. Use controller admin’s password for admin. Use the password in the [keystone_authtoken] section of /etc/vzapi/vzapi.conf for vzapi. For example:

      # slappasswd
      New password: <controller_admin_passwd>
      Re-enter new password: <controller_admin_passwd>
      # slappasswd
      New password: <vzapi_passwd>
      Re-enter new password: <vzapi_passwd>
    3. Create the file users.ldif with the contents shown further. Specify the IDs of users admin and vzapi in the cn parameters, their password hashes in the userPassword parameters, and your domain name in the dc parameters. For example:

      dn: cn=d8e4a93d60954c92b4239981c6c40707,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com
      objectClass: person
      cn: d8e4a93d60954c92b4239981c6c40707
      sn: vzapi
      userPassword: {SSHA}E2qhe244kX8r+stFOb6mX2bfHYSpygTk
      dn: cn=86921a8ec6a5497895ca07c5d6b738af,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com
      objectClass: person
      cn: 86921a8ec6a5497895ca07c5d6b738af
      sn: admin
      userPassword: {SSHA}wBjzhGnmHl3hT9mZja9GLytOXBU4qHcS

      Where <PP_users_OU> is the organizational unit with the list of users that need to be available in Virtuozzo PowerPanel.

    4. Add the corresponding entry to the LDAP database:

      # ldapadd -x -D cn=Manager,dc=ctrl,dc=example,dc=com -W -f users.ldif
      Enter LDAP Password:
      adding new entry "cn=d8e4a93d60954c92b4239981c6c40707,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com"
      adding new entry "cn=86921a8ec6a5497895ca07c5d6b738af,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com"
  3. On the controller node, edit /etc/keystone/keystone.conf according to your needs. You may need to do the following:

    1. Specify LDAP server information. For example:

      url = ldap://<ldap_server_address>
      user = cn=Manager,dc=ctrl,dc=example,dc=com
      password = <ldap_admin_password>
      suffix = dc=ctrl,dc=example,dc=com
    2. Specify the organizational units (OU) in the LDAP directory with information about users that will be managed in Virtuozzo PowerPanel. For example:

      user_tree_dn = ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com
      user_objectclass = person
    3. Switch to the LDAP identity driver:

      #driver = sql
      driver = ldap
  4. On the controller node, restart the Apache HTTP Server:

    # systemctl restart httpd
  5. On the controller node, create Keystone projects with names that match corresponding user names:

    # vzapi user sync

    This command needs to be run after creating or deleting users. It does not need to be run after editing user attributes or changing their passwords.


    If MFA is enabled, replace vzapi <cmd> with vzapi --os-cloud local-credential <cmd>. For more details, see Managing Multi-Factor Authentication.

  6. On the controller node, make sure that Keystone sees LDAP users:

    # openstack --os-cloud local user list
  7. On the controller node, make sure that a project has been created for each user on step 5:

    # openstack --os-cloud local project list

    You should see a list of projects with names that match corresponding user names.