Integrating Virtuozzo PowerPanel with an LDAP Database
This chapter describes how to integrate the Virtuozzo PowerPanel controller with an existing LDAP database (on the example of OpenLDAP).
The following prerequisites need to be met prior to LDAP setup:
- Virtuozzo PowerPanel must be deployed.
- For remote LDAP, firewall must be disabled or necessary rules must be added.
To set up LDAP, do the following:
Decide on how to map LDAP attributes to Keystone user names and IDs. For example, assign names to the
snparameters, IDs tocnparameters.In your LDAP database, create the
vzapiandadminusers.Find out the IDs and names of users
adminandvzapiin the Keystone database on the controller. For example:1 2 3 4 5 6 7 8# openstack --os-cloud local user show admin <...> | id | 86921a8ec6a5497895ca07c5d6b738af | <...> # openstack --os-cloud local user show vzapi <...> | id | d8e4a93d60954c92b4239981c6c40707 | <...>Generate password hashes for the users
adminandvzapi. Use controller admin’s password foradmin. Use the password in the[keystone_authtoken]section of/etc/vzapi/vzapi.confforvzapi. For example: :1 2 3 4 5 6 7 8# slappasswd New password: <controller_admin_passwd> Re-enter new password: <controller_admin_passwd> {SSHA}E2qhe244kX8r+stFOb6mX2bfHYSpygTk # slappasswd New password: <vzapi_passwd> Re-enter new password: <vzapi_passwd> {SSHA}wBjzhGnmHl3hT9mZja9GLytOXBU4qHcSCreate the file
users.ldifwith the contents shown further. Specify the IDs of usersadminandvzapiin thecnparameters, their password hashes in theuserPasswordparameters, and your domain name in thedcparameters. For example:1 2 3 4 5 6 7 8 9 10 11dn: cn=d8e4a93d60954c92b4239981c6c40707,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com objectClass: person cn: d8e4a93d60954c92b4239981c6c40707 sn: vzapi userPassword: {SSHA}E2qhe244kX8r+stFOb6mX2bfHYSpygTk dn: cn=86921a8ec6a5497895ca07c5d6b738af,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com objectClass: person cn: 86921a8ec6a5497895ca07c5d6b738af sn: admin userPassword: {SSHA}wBjzhGnmHl3hT9mZja9GLytOXBU4qHcSWhere
<PP_users_OU>is the organizational unit with the list of users that need to be available in Virtuozzo PowerPanel.Add the corresponding entry to the LDAP database:
1 2 3 4# ldapadd -x -D cn=Manager,dc=ctrl,dc=example,dc=com -W -f users.ldif Enter LDAP Password: adding new entry "cn=d8e4a93d60954c92b4239981c6c40707,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com" adding new entry "cn=86921a8ec6a5497895ca07c5d6b738af,ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com"
On the controller node, edit
/etc/keystone/keystone.confaccording to your needs. You may need to do the following:Specify LDAP server information. For example:
1 2 3 4 5[ldap] url = ldap://<ldap_server_address> user = cn=Manager,dc=ctrl,dc=example,dc=com password = <ldap_admin_password> suffix = dc=ctrl,dc=example,dc=comSpecify the organizational units (OU) in the LDAP directory with information about users that will be managed in Virtuozzo PowerPanel. For example:
1 2 3[ldap] user_tree_dn = ou=<PP_users_OU>,dc=ctrl,dc=example,dc=com user_objectclass = personSwitch to the LDAP identity driver:
1 2 3[identity] #driver = sql driver = ldap
On the controller node, restart the Apache HTTP Server:
1# systemctl restart httpdOn the controller node, create Keystone projects with names that match corresponding user names:
1# vzapi user syncThis command needs to be run after creating or deleting users. It does not need to be run after editing user attributes or changing their passwords.
If MFA is enabled, replacevzapi <cmd>withvzapi --os-cloud local-credential <cmd>. For more details, see Managing Multi-Factor Authentication.On the controller node, make sure that Keystone sees LDAP users:
1# openstack --os-cloud local user listOn the controller node, make sure that a project has been created for each user on step 5:
1# openstack --os-cloud local project listYou should see a list of projects with names that match corresponding user names.
