Integrating the Identity Service with LDAP

The Metacloud Identity service defines a user’s role on a project, and each service then defines what permissions each role has. This is referred to as the service’s policy. The Metacloud Identity service supports integration with existing LDAP directories for authentication and authorization services.

When the Metacloud Identity service is configured to use LDAP back ends, you can split authentication (using the identity feature) and authorization (using the assignment feature).

The identity feature enables administrators to manage users and groups by each domain or the Metacloud Identity service entirely.

The assignment feature enables administrators to manage project role authorization using the Metacloud Identity service SQL database, while providing user authentication through the LDAP directory.

For the Metacloud Identity service to access LDAP servers, engineers must enable the authlogin_nsswitch_use_ldap boolean value for SELinux on the server running the Metacloud Identity service. To enable and make the option persistent across reboots, set the following boolean value as the root user:

# setsebool -P authlogin_nsswitch_use_ldap on

The Identity configuration is split into two separate back ends; identity (back end for users and groups), and assignments (back end for domains, projects, roles, role assignments).

Multiple back ends are supported. You can integrate the Metacloud Identity service with a single LDAP server (configure both identity and assignments to LDAP, or set identity and assignments back end with SQL or LDAP), or multiple back ends using domain-specific configuration files. Submit a request for assistance through Metacloud support.

Metacloud engineers define the destination LDAP server for you at installation.