Add support for LDAP groups

Support for LDAP groups exists in Keystone. The fuel-ldap-plugin,
however, does not offer any means to configure it.

Change this by adding configuration options in Fuel.

Change-Id: I87d14f27281c2fcfe5a04bd6faa735df6fee455b
This commit is contained in:
Oleksandr Vlasov 2016-01-28 11:28:33 +02:00
parent 20e2430c7f
commit 37f1b678fa
2 changed files with 64 additions and 0 deletions

View File

@ -29,6 +29,18 @@ class plugin_ldap::controller {
$user_allow_update = false
$user_allow_delete = false
$group_tree_dn = $::fuel_settings['ldap']['group_tree_dn']
$group_filter = $::fuel_settings['ldap']['group_filter']
$group_objectclass = $::fuel_settings['ldap']['group_objectclass']
$group_id_attribute = $::fuel_settings['ldap']['group_id_attribute']
$group_name_attribute = $::fuel_settings['ldap']['group_name_attribute']
$group_member_attribute = $::fuel_settings['ldap']['group_member_attribute']
$group_desc_attribute = $::fuel_settings['ldap']['group_desc_attribute']
$group_allow_create = false
$group_allow_update = false
$group_allow_delete = false
$domain = $::fuel_settings['ldap']['domain']
file { '/etc/keystone/domains':
@ -65,6 +77,16 @@ class plugin_ldap::controller {
"${domain}/ldap/user_allow_create": value => $user_allow_create;
"${domain}/ldap/user_allow_update": value => $user_allow_update;
"${domain}/ldap/user_allow_delete": value => $user_allow_delete;
"${domain}/ldap/group_tree_dn": value => $group_tree_dn;
"${domain}/ldap/group_filter": value => $group_filter;
"${domain}/ldap/group_objectclass": value => $group_objectclass;
"${domain}/ldap/group_id_attribute": value => $group_id_attribute;
"${domain}/ldap/group_name_attribute": value => $group_name_attribute;
"${domain}/ldap/group_member_attribute": value => $group_member_attribute;
"${domain}/ldap/group_desc_attribute": value => $group_desc_attribute;
"${domain}/ldap/group_allow_create": value => $group_allow_create;
"${domain}/ldap/group_allow_update": value => $group_allow_update;
"${domain}/ldap/group_allow_delete": value => $group_allow_delete;
} ~>
service { 'httpd':
name => "$apache::params::service_name",

View File

@ -86,3 +86,45 @@ attributes:
description: 'LDAP attribute mapped to enabled/disabled.'
weight: 66
type: "text"
group_tree_dn:
value: 'ou=Groups,dc=example,dc=com'
label: 'Groups Tree DN'
description: 'Search base for groups.'
weight: 75
type: "text"
group_filter:
value: ''
label: 'Group Filter'
description: 'LDAP search filter for groups.'
weight: 80
type: "text"
group_objectclass:
value: 'groupOfNames'
label: 'Group Object Class'
description: 'LDAP objectclass for groups.'
weight: 85
type: "text"
group_id_attribute:
value: 'cn'
label: 'Group ID Attribute'
description: 'LDAP attribute mapped to group id.'
weight: 90
type: "text"
group_name_attribute:
value: 'ou'
label: 'Group Name Attribute'
description: 'LDAP attribute mapped to group name.'
weight: 95
type: "text"
group_member_attribute:
value: 'member'
label: 'Group Member Attribute'
description: 'LDAP attribute that maps user to group.'
weight: 100
type: "text"
group_desc_attribute:
value: 'description'
label: 'Group description Attribute'
description: 'LDAP attribute mapped to description.'
weight: 105
type: "text"