Login to a host capable of running LXC containers.
In order to use the LXC container, a new bridge will need to be created: br-host.
First, install the necessary networking packages:
apt-get install bridge-utils
Reconfigure the network interface file (configure as necessary to match your environment):
# The loopback network interface
auto lo
iface lo inet loopback
auto em1
iface em1 inet manual
# Container Bridge
auto br-host
iface br-host inet static
address 10.240.0.20
netmask 255.255.252.0
gateway 10.240.0.1
dns-nameservers 8.8.8.8 8.8.4.4
bridge_ports em1
bridge_stp off
bridge_waitport 0
bridge_fd 0
Bring up br-host:
ifdown em1; ifup br-host
Install necessary LXC packages:
apt-get install lxc
Create the LXC container:
lxc-create -t download -n openldap -- --dist ubuntu --release trusty --arch amd64
Append the following to /var/lib/lxc/openldap/config (modify as necessary to match your environment):
lxc.network.type = veth
lxc.network.name = eth1
lxc.network.ipv4 = 10.240.0.11/24
lxc.network.link = br-host
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.network.flags = up
lxc.network.mtu = 1500
Start the LXC container:
lxc-start -d --name openldap
Attach to the LXC container:
lxc-attach --name openldap
Install OpenLDAP packages:
apt-get install slapd ldap-utils
During install, slapd will prompt you to enter a password for the admin LDAP user.
Now, configure OpenLDAP to setup a default schema (example.com is used throughout the documentation):
dpkg-reconfigure slapd
After a default schema is created, import a useable schema by creating a file, schema.ldif and pasting in the following contents:
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users
dn: ou=ServiceAccounts,dc=example,dc=com
objectClass: organizationalUnit
ou: ServiceAccounts
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: uid=rpc-ldap-bind,ou=ServiceAccounts,dc=example,dc=com
objectClass: inetOrgPerson
uid: rpc-ldap-bind
sn: rpc-ldap-bind
givenName: rpc-ldap-bind
cn: rpc-ldap-bind
displayName: rpc-ldap-bind
userPassword: rpc-ldap-bind
dn: uid=ldap-stack_domain_admin,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-stack_domain_admin
sn: ldap-stack_domain_admin
givenName: ldap-stack_domain_admin
cn: ldap-stack_domain_admin
displayName: ldap-stack_domain_admin
userPassword: ldap-stack_domain_admin
dn: uid=ldap-admin,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-admin
sn: ldap-admin
cn: ldap-admin
displayName: ldap-admin
userPassword: ldap-admin
dn: uid=ldap-keystone,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-keystone
sn: ldap-keystone
cn: ldap-keystone
displayName: ldap-keystone
userPassword: ldap-keystone
dn: uid=ldap-swift_dispersion,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-swift_dispersion
sn: ldap-swift_dispersion
cn: ldap-swift_dispersion
displayName: ldap-swift_dispersion
userPassword: ldap-swift_dispersion
dn: uid=ldap-swift,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-swift
sn: ldap-swift
cn: ldap-swift
displayName: ldap-swift
userPassword: ldap-swift
dn: uid=ldap-cinder,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-cinder
sn: ldap-cinder
cn: ldap-cinder
displayName: ldap-cinder
userPassword: ldap-cinder
dn: uid=ldap-glance,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-glance
sn: ldap-glance
cn: ldap-glance
displayName: ldap-glance
userPassword: ldap-glance
dn: uid=ldap-heat,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-heat
sn: ldap-heat
cn: ldap-heat
displayName: ldap-heat
userPassword: ldap-heat
dn: uid=ldap-neutron,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-neutron
sn: ldap-neutron
cn: ldap-neutron
displayName: ldap-neutron
userPassword: ldap-neutron
dn: uid=ldap-nova,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-nova
sn: ldap-nova
cn: ldap-nova
displayName: ldap-nova
userPassword: ldap-nova
dn: uid=ldap-ceilometer,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: ldap-ceilometer
sn: ldap-ceilometer
givenName: ldap-ceilometer
cn: ldap-ceilometer
displayName: ldap-ceilometer
userPassword: ldap-ceilometer
dn: uid=cloud-user-1,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: cloud-user-1
sn: cloud-user-1
givenName: cloud-user-1
cn: cloud-user-1
displayName: cloud-user-1
userPassword: cloud-user-1
dn: uid=cloud-user-2,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
uid: cloud-user-2
sn: cloud-user-2
givenName: cloud-user-2
cn: cloud-user-2
displayName: cloud-user-2
userPassword: cloud-user-2
Finally, add the organizational units and users (the password prompted for will be what you set when you installed slapd):
ldapadd -x -D cn=admin,dc=example,dc=com -W -h 10.240.0.11 -f schema.ldif
If you need to delete individual users, you can use the following command:
ldapdelete -x -D cn=admin,dc=example,dc=com -W -h 10.240.0.11 uid=ldap-nova,ou=Users,dc=example,dc=com
You can verify connectivity is working by running the following command (the password prompted for will be the password for rpc-ldap-bind you set in schema.ldif)
ldapsearch -x -W -D uid=rpc-ldap-bind,ou=ServiceAccounts,dc=example,dc=com -h 10.240.0.11 -b "dc=example,dc=com"