How to configure Active Directory (AD) integration?¶

This article discusses configuring integration with Active Directory (AD) in case you need to collect users and groups from a specific container/area with a recursive subtree search and at the same time using filters for domain users and groups.

Note

This version of the configuration file is relevant only for the ldap system. The token and other options are used to implement ldaps. You also need to understand that the domain settings for users/groups may differ from those specified. The actual values and parameters should be clairyfied with the Active Directory Administrator.

Configuration file (etc/keystone/domains/keystone.domainname.conf) example for integrating Active Directory (AD) with keystone:

[identity]
driver = ldap

[ldap]
url = ldap://IP:389 #specify the IP ldap controller, you can specify several, separated by commas
user = CN=aos, ou=test, dc=msk,dc=lan #the path to AD controller with read permissions for all users
password = 'password' #password without quotes
suffix = dc=msk,dc=lan #for the msk.lan domain example
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=mos, dc=msk,dc=lan #an example of a tree for searching users by AD, the parameters depend on the content and the specific domain
user_objectclass = person
user_filter = (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) #AD search filter example, allows you to apply AD search PowerShell filters without any customization

group_tree_dn = ou=VDI, ou=Service, ou=group,dc=msk,dc=lan #an example of a tree for searching groups in AD, the parameters depend on the content of a particular domain
group_objectclass = group
group_filter = (&(objectCategory=group)) #AD search filter example, allows you to apply powerShell AD search filters without any customization

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_allow_create = False
group_allow_update = False
group_allow_delete = False

#attribute mapping block for users, configured according to AD
user_id_attribute      = sAMAccountName
user_name_attribute    = sAMAccountName
user_mail_attribute    = mail
user_pass_attribute    = userPassword

#attribute mapping block for groups, configured according to AD
group_id_attribute = cn
group_name_attribute = cn
group_member_attribute =
group_desc_attribute = description

page_size = 1000 #if the potential resulting list of users/groups is large, errors may occur during queries, in such cases the page_size parameter can be adjusted down
query_scope = sub #use this option in case of recursive search through the entire subtree

Note

The attribute mapping block for both users and groups must be filled in the required and sufficient quantity.

Incorrect number of declarations can lead to keystone errors when working with some users from the container being watched. For example, they do not have any of the specified attributes in AD, but the user himself is in the monitored container. Check with your Active Directory administrator for the latest attributes.

keystone must be rebooted after each modification of the configuration file to apply the settings:

systemctl restart keystone