The Identity service supports the use of TLS to encrypt LDAP traffic. Before configuring this, you must first verify where your certificate authority file is located. For more information, see the OpenStack Security Guide SSL introduction <http://docs.openstack.org/ security-guide/secure-communication/introduction-to-ssl-and-tls.html>_.
Once you verify the location of your certificate authority file:
To configure TLS encryption on LDAP traffic
- Open the
- Find the
- In the
[ldap]section, set the
use_tlsconfiguration key to
True. Doing so will enable TLS.
Configure the Identity service to use your certificate authorities file. To do so, set the
tls_cacertfileconfiguration key in the
ldapsection to the certificate authorities file’s path.
You can also set the
tls_cacertdir(also in the
ldapsection) to the directory where all certificate authorities files are kept. If both
tls_cacertdirare set, then the latter will be ignored.
- Specify what client certificate checks to perform on incoming TLS
sessions from the LDAP server. To do so, set the
tls_req_certconfiguration key in the
On distributions that include openstack-config, you can configure TLS encryption on LDAP traffic by running the following commands instead.
# openstack-config --set /etc/keystone/keystone.conf \ ldap use_tls True # openstack-config --set /etc/keystone/keystone.conf \ ldap tls_cacertfile ``CA_FILE`` # openstack-config --set /etc/keystone/keystone.conf \ ldap tls_req_cert ``CERT_BEHAVIOR``
CA_FILEis the absolute path to the certificate authorities file that should be used to encrypt LDAP traffic.
CERT_BEHAVIORspecifies what client certificate checks to perform on an incoming TLS session from the LDAP server (