This plugin integrates the OpenStack Keystone service with an external LDAP service. Effectively, the plugin maps LDAP-based users to cloud users via an OpenStack domain.

Note: This feature is currently only supported in channel 2023.2/edge of the openstack snap.

Enabling LDAP

To enable the LDAP plugin, run the following command:

sunbeam enable ldap

Disabling LDAP

To disable the LDAP plugin, run the following command:

sunbeam disable ldap


Adding a domain

Adding a domain refers to integrating Keystone with one or more existing LDAP servers.

  1. Create a YAML file with details of how Keystone should integrate with the LDAP server. At a minimum, this should include a URL, user, password, and suffix. See the Keystone LDAP integration guide for configuration guidance.

    For example:


    url: ldaps://ldap.example.com:636
    user: cn=admin,dc=example,dc=com
    password: mypassword
    suffix: dc=example,dc=com
  1. If the connection requires TLS, place the CA certificate in a file:


    -----END CERTIFICATE-----
  1. Use the sunbeam ldap add-domain command to set up the domain, adding the --ca-cert-file option if TLS is in use:
    sunbeam ldap add-domain \
       --domain-config-file ./dom1.yaml \
       --ca-cert-file ./dom1.cert dom1
  1. A new LDAP-backed domain will be created in Keystone. Verify this with the native openstack CLI:

    openstack user list --domain dom1

    |                                           | Name          |
    | 941b5daa177ea518b5fc3b85fe9269729eb6abbb1 | John Hethel   |
    | d3b9d2bea306a049d4f56d30d6bba97b24c6db882 | Ryan Trunch   |
    | 7b699dc9a8037d6968c42c5b7b5d5a020d0f58e40 | Michael Diss  |

Updating a domain

To update an LDAP domain the process is similar to adding one:

sunbeam ldap update-domain --domain-config-file ./dom1.yaml --ca-cert-file ./dom1.cert  dom1

Listing domains

To list LDAP domains:

sunbeam ldap list-domains

Removing a domain

To remove an LDAP domain:

sunbeam ldap remove-domain <domain-name>

Important: Since configuration (e.g. OpenStack projects) could have been made to the domain after it was added, the remove-domain command only removes the LDAP connection. To completely remove the domain, the openstack CLI should be used (i.e. openstack domain delete).

Last updated 24 days ago. Help improve this document in the forum.