Bug 1140829

Summary: [Doc] Keystone LDAPS connection using CA certificate
Product: Red Hat OpenStack Reporter: Stephen Gordon <sgordon>
Component: doc-Installation_and_Configuration_GuideAssignee: Suyog Sainkar <ssainkar>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 7)CC: adahms, anande, ayoung, ddomingo, erich, jdexter, nkinder, sgordon, ukalifon, yeylon
Target Milestone: ---Keywords: Documentation, ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1140152 Environment:
Last Closed: 2015-02-13 05:43:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1140152    
Bug Blocks:    

Comment 2 Nathan Kinder 2014-09-12 00:06:23 UTC 
There are two ways of configuring the CA trust for the OpenLDAP libraries that are used by Keystone:

Method 1:
---------
1 - Copy the file containing your CA certificate chain (in PEM format) to /etc/openldap/certs.

2 - Edit /etc/openldap/ldap.conf and add the following directive:

  TLS_CACERT /etc/openldap/certs/<ca file>

Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.

Method 2:
---------
1 - Use certutil to import and trust your CA certificate chain into the NSS certificate database that is used by the OpenLDAP client libraries:

  certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i <ca file>

Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.

You can use a more appropriate certificate nickname for the '-n' option.  This nickname is used to identity the certificate in the NSS database.

2 - Confirm that the CA certificate was imported correctly:

  certutil -d /etc/openldap/certs -L

Your CA certificate should be listed, and the trust attributes should be set to "CT,,".
Comment 3 Nathan Kinder 2014-09-12 01:08:01 UTC 
One more note to add to comment#2 is that the Keystone service needs to be restarted for the changes to take effect.
Comment 12 Andrew Dahms 2014-11-20 01:19:14 UTC 
Moving to ssainkar, who is now the author assigned to the Keystone component, for further processing and publication.
Comment 16 Udi Kalifon 2014-12-03 07:05:08 UTC 
Please also document how to create the cacert.pem file. It's got a header and a footer, and the contents of the ldap query that obtained the certificate:

-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB....
-----END CERTIFICATE-----

I'd also document the step that checks if ldaps is working, so that users can better troubleshoot their problem if something is not working and they're not sure if the cert file was created correctly or not. Run this query:

LDAPTLS_CACERT=/path/to/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -D "$ADMIN_DN" -w "$ADMINPASSWORD" -s base -b "" "objectclass=*" currenttime

It should return something like:
dn:
currentTime: 20141022050611.0Z