Importing OpenStack Keystone Users & Tenants into OpenLDAP

If you’ve been following along, we installed OpenLDAP here, that or you have one of your own going. Either way, the goal of this post, is to pull information out of OpenStack Keystone for import into OpenLDAP. Preparing us to transition Keystone backend over to LDAP.

Getting started

To get started, we’ll assume a working LDAP and Keystone setup, and that you are logged into the server(s) hosting each.

Validating connections

Before we get too far into this, let’s validate we’re indeed able to get information from both services.

  • Keystone
# keystone user-list

+----------------------------------+------------+---------+--------------------
|                id                |    name    | enabled |       email        
+----------------------------------+------------+---------+--------------------
| 1ccfc42014e04d4cb1e3818bef855ad0 |   admin    |   True  |   root@localhost   
| f9404ed9fd864070a11e0b76671f99c2 | ceilometer |   True  |   heat@localhost   
| f7c4d64657ab463cb38812a39b8f8a89 |   cinder   |   True  |  cinder@localhost  
....
  • OpenLDAP
# slapcat
dn: dc=cook,dc=book
objectClass: top
objectClass: dcObject
objectClass: organization
...

Exporting from keystone to ldif

The ldif format allows us to import easily back into ldap. What follows is a script that will run some keystone commands, do some output cleanup, and then export things into an ldif file. The script is as follows:

SUFFIX='dc=cook,dc=book'
LDIF='/tmp/cookbook.ldif'

echo -n > $LDIF

# Make our OUs
echo "dn: ou=Roles,$SUFFIX" >> $LDIF
echo "objectclass:organizationalunit" >> $LDIF
echo "ou: Roles" >> $LDIF
echo "description: generic groups branch" >> $LDIF
echo -e "n" >> $LDIF

echo "dn: ou=Users,$SUFFIX" >> $LDIF
echo "objectclass:organizationalunit" >> $LDIF
echo "ou: Users" >> $LDIF
echo "description: generic groups branch" >> $LDIF
echo -e "n" >> $LDIF

echo "dn: ou=Groups,$SUFFIX" >> $LDIF
echo "objectclass:organizationalunit" >> $LDIF
echo "ou: Groups" >> $LDIF
echo "description: generic groups branch" >> $LDIF
echo -e "n" >> $LDIF

for line in `keystone role-list | awk '($4 != "name") && ($4 != "") {print $4}'`
do
    CN=$line
    echo "dn: cn=$CN,ou=Roles,$SUFFIX" >> $LDIF
    echo "objectClass: organizationalRole" >> $LDIF
    echo "cn: $CN" >> $LDIF
    echo -e "n" >> $LDIF
done

for line in `keystone user-list | awk '($4 != "name") && ($4 != "") {print $4}'`
do
    CN=$line
    echo "dn: cn=$CN,ou=Users,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "cn: $CN" >> $LDIF
    echo "sn: cookbook" >> $LDIF
    echo -e "n" >> $LDIF
done

for line in `keystone tenant-list | awk '($4 != "name") && ($4 != "") {print $4}'`
do
    CN=$line
    echo "dn: cn=$CN,ou=Groups,$SUFFIX" >> $LDIF
    echo "objectClass: groupOfNames" >> $LDIF
    echo "member: cn=admin,$SUFFIX" >> $LDIF
    echo "cn: $CN" >> $LDIF
    echo -e "n" >> $LDIF
done

This assumes you have connectivity between where you are running the script and Keystone.

This should produce a file that looks like this:

dn: cn=cookbook,ou=Groups,dc=cook,dc=book
objectClass: groupOfNames
cn: cookbook

dn: cn=service,ou=Groups,dc=cook,dc=book
objectClass: groupOfNames
cn: service

dn: cn=Member,ou=Roles,dc=cook,dc=book
objectClass: organizationalRole
cn: Member

dn: cn=_member_,ou=Roles,dc=cook,dc=book
objectClass: organizationalRole

You should now be able to use the resulting ldif file to import these things into LDAP

Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.