Active Directory Integration
VMware Integrated OpenStack uses OpenStack’s ability to integrate the OpenStack Keystone identity service also known as Horizon into LDAP. As of today, only the integration into Microsoft Active Directory has been tested and validated by VMware.
Keystone can use an SQL database or LDAP Backend for identity (user identification, group retrieval) and authorization/assignment (that is, mapping of users and groups to projects and mapping of users to roles). The use of LDAP as the assignment backend is specified as not recommended even in the latest OpenStack (Juno) documentation, and therefore must not be used in production.
VMware only supports Microsoft Active Directory as an identity backend with LDAP, and not the authorization/assignment functionality.
| To switch authentication type and configuration post-deployment, redeploy the OpenStack instance. | |
|---|---|
Two AD accounts should be created prior to deploying OpenStack instance.
The first account is the OpenStack service account (for example, “osservices”). This account will be used by OpenStack services to authenticate against each other.
The second account is the OpenStack Admin account (for example, “admin”). This account will be used to log in to VMware Horizon after the Integrated OpenStack instance has been deployed.
Table 77. VIO AD, Users and Quota Design Decisions
| Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
| For this design, <Customer> has made the following decisions listed in this table. | |||
| sAMAccountName will be used as the user attribute instead of UserPrincipal name. | By using sAMAccountName, users can log in with their short username (such as user1) instead of their UPN (such as user1@<Customer> .com) | When using sAMAccountName, users can only come from a single domain source. Using a metadirectory product or a multi-forest AD deployment is not possible. |