keystone ldap plugin initial commit

* Enable domain_specific_drivers in keystone * create keystone domain, specified in plugin settings change identity driver to ldap for this domain * use keystone v3 api in horizon Change-Id: I0f1179c62d0f36dad92c4872f8e85c4a60af418b
2015-08-27 12:26:15 +03:00 · 2015-08-27 12:26:15 +03:00 · 80845952bb
parent 6812d55184
commit 80845952bb
9 changed files with 247 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,4 @@
+ldap
+============
+
+Plugin description
--- a/deployment_scripts/puppet/manifests/controller_site.pp
+++ b/deployment_scripts/puppet/manifests/controller_site.pp
@ -0,0 +1,2 @@
+$fuel_settings = parseyaml($astute_settings_yaml)
+class {'plugin_ldap::controller': }
--- a/deployment_scripts/puppet/modules/plugin_ldap/lib/puppet/provider/keystone_config/ini_setting_domain.rb
+++ b/deployment_scripts/puppet/modules/plugin_ldap/lib/puppet/provider/keystone_config/ini_setting_domain.rb
@ -0,0 +1,43 @@
+Puppet::Type.type(:keystone_config).provide(
+  :ini_setting_domain,
+  :parent => Puppet::Type.type(:ini_setting).provider(:ruby)
+) do
+
+  def elements
+    return @elements if @elements
+    elements = resource[:name].split('/', 3)
+    elements.unshift nil unless elements.length >= 3
+    elements[0] = nil if elements[0] =~ /default/i
+    @elements = {
+      :domain  => elements[0],
+      :section => elements[1],
+      :setting => elements[2..-1].join,
+    }
+  end
+
+  def section
+    elements[:section]
+  end
+
+  def setting
+    elements[:setting]
+  end
+
+  def domain
+    elements[:domain]
+  end
+
+  def separator
+    '='
+  end
+
+  # added for backwards compatibility with older versions of inifile
+  def file_path
+    if elements[:domain]
+      "/etc/keystone/domains/keystone.#{@elements[:domain]}.conf"
+    else
+      '/etc/keystone/keystone.conf'
+    end
+  end
+
+end
--- a/deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp
+++ b/deployment_scripts/puppet/modules/plugin_ldap/manifests/controller.pp
@ -0,0 +1,96 @@
+class plugin_ldap::controller {
+
+  include ::apache::params
+
+  $management_vip             = hiera('management_vip')
+
+  ## if AD is used, in order to properly display if account is enabled or disabled
+  ## additional parameters need to be set.
+  if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
+    $user_enabled_default = 512
+    $user_enabled_mask   = 2
+  }
+
+  $identity_driver        = 'keystone.identity.backends.ldap.Identity'
+  $url                    = $::fuel_settings['ldap']['url']
+  $suffix                 = $::fuel_settings['ldap']['suffix']
+  $user                   = $::fuel_settings['ldap']['user']
+  $password               = $::fuel_settings['ldap']['password']
+  $query_scope            = $::fuel_settings['ldap']['query_scope']
+  $user_tree_dn           = $::fuel_settings['ldap']['user_tree_dn']
+  $user_filter            = $::fuel_settings['ldap']['user_filter']
+  $user_objectclass       = $::fuel_settings['ldap']['user_objectclass']
+  $user_id_attribute      = $::fuel_settings['ldap']['user_id_attribute']
+  $user_name_attribute    = $::fuel_settings['ldap']['user_name_attribute']
+  $user_pass_attribute    = $::fuel_settings['ldap']['user_pass_attribute']
+  $user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
+
+  $user_allow_create      = false
+  $user_allow_update      = false
+  $user_allow_delete      = false
+
+  $domain                 = $::fuel_settings['ldap']['domain']
+
+  file { '/etc/keystone/domains':
+    ensure => 'directory',
+    owner  => 'keystone',
+    group  => 'keystone',
+    mode   => '755',
+  }
+
+  keystone_config {
+    "identity/domain_specific_drivers_enabled": value => 'True';
+  }
+
+  Keystone_config {
+    provider => 'ini_setting_domain',
+  }
+
+  keystone_config {
+    "${domain}/identity/driver":        value  => $identity_driver;
+    "${domain}/ldap/url":                    value => $url;
+    "${domain}/ldap/suffix":                 value => $suffix;
+    "${domain}/ldap/user":                   value => $user;
+    "${domain}/ldap/password":               value => $password;
+    "${domain}/ldap/query_scope":            value => $query_scope;
+    "${domain}/ldap/user_tree_dn":           value => $user_tree_dn;
+    "${domain}/ldap/user_filter":            value => $user_filter;
+    "${domain}/ldap/user_objectclass":       value => $user_objectclass;
+    "${domain}/ldap/user_id_attribute":      value => $user_id_attribute;
+    "${domain}/ldap/user_name_attribute":    value => $user_name_attribute;
+    "${domain}/ldap/user_pass_attribute":    value => $user_pass_attribute;
+    "${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
+    "${domain}/ldap/user_enabled_default":   value => $user_enabled_default;
+    "${domain}/ldap/user_enabled_mask":      value => $user_enabled_mask;
+    "${domain}/ldap/user_allow_create":      value => $user_allow_create;
+    "${domain}/ldap/user_allow_update":      value => $user_allow_update;
+    "${domain}/ldap/user_allow_delete":      value => $user_allow_delete;
+  } ~>
+  service { 'httpd':
+    name     => "$apache::params::service_name",
+    ensure   => running,
+  }
+
+  keystone_domain { "${domain}":
+    ensure  => present,
+    enabled => true,
+  }
+
+  file_line { 'OPENSTACK_KEYSTONE_URL':
+    path => '/etc/openstack-dashboard/local_settings.py',
+    line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
+    match => "^OPENSTACK_KEYSTONE_URL = .*$",
+  } ~> Service ['httpd']
+
+  file_line { 'OPENSTACK_API_VERSIONS':
+    path => '/etc/openstack-dashboard/local_settings.py',
+    line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
+    match => "^# OPENSTACK_API_VERSIONS = {.*$",
+  } ~> Service ['httpd']
+
+  file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
+    path => '/etc/openstack-dashboard/local_settings.py',
+    line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
+    match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
+  } ~> Service ['httpd']
+}
--- a/environment_config.yaml
+++ b/environment_config.yaml
@ -0,0 +1,79 @@
+attributes:
+  domain:
+    value: ''
+    label: 'LDAP domain'
+    description: 'LDAP domain name'
+    weight: 20
+    type: "text"
+  url:
+    value: ''
+    label: 'LDAP URL'
+    description: 'URL for connecting to the LDAP server.'
+    weight: 25
+    type: "text"
+  suffix:
+    value: 'cn=example,cn=com'
+    label: 'LDAP Suffix'
+    description: 'LDAP server suffix.'
+    weight: 26
+    type: "text"
+  user:
+    value: 'cn=admin,dc=local'
+    label: 'LDAP User'
+    description: 'User BindDN to query the LDAP server.'
+    weight: 30
+    type: "text"
+  password:
+    value: ''
+    label: 'LDAP User Password'
+    description: 'Password for the BindDN to query the LDAP server.'
+    weight: 35
+    type: "password"
+  query_scope:
+    value: 'one'
+    label: 'LDAP Query Scope'
+    description: 'The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).'
+    weight: 40
+    type: "text"
+  user_tree_dn:
+    value: 'ou=Users,dc=example,dc=com'
+    label: 'Users Tree DN'
+    description: 'Search base for users.'
+    weight: 45
+    type: "text"
+  user_filter:
+    value: ''
+    label: 'User Filter'
+    description: 'LDAP search filter for users.'
+    weight: 46
+    type: "text"
+  user_objectclass:
+    value: 'inetOrgPerson'
+    label: 'User Object Class'
+    description: 'LDAP objectclass for users.'
+    weight: 50
+    type: "text"
+  user_id_attribute:
+    value: 'cn'
+    label: 'User ID Attribute'
+    description: 'LDAP attribute mapped to user id.'
+    weight: 55
+    type: "text"
+  user_name_attribute:
+    value: 'sn'
+    label: 'User Name Attribute'
+    description: 'LDAP attribute mapped to user name.'
+    weight: 60
+    type: "text"
+  user_pass_attribute:
+    value: 'userPassword'
+    label: 'User Password Attribute'
+    description: 'LDAP attribute mapped to password.'
+    weight: 65
+    type: "text"
+  user_enabled_attribute:
+    value: 'enabled'
+    label: 'User Enabled/Disabled Attribute'
+    description: 'LDAP attribute mapped to enabled/disabled.'
+    weight: 66
+    type: "text"
--- a/metadata.yaml
+++ b/metadata.yaml
@ -0,0 +1,16 @@
+name: ldap
+title: LDAP plugin for Keystone
+version: '1.0.0'
+description: Enable to use LDAP authentication backend for Keystone
+fuel_version: ['7.0']
+licenses: ['Apache License Version 2.0']
+authors: ['Mirantis']
+homepage: 'https://github.com/stackforge/fuel-plugin-ldap'
+groups: ['network']
+releases:
+  - os: ubuntu
+    version: 2015.1-7.0
+    mode: ['ha', 'multinode']
+    deployment_scripts_path: deployment_scripts/
+    repository_path: repositories/ubuntu
+package_version: '2.0.0'
--- a/repositories/centos/.gitkeep
+++ b/repositories/centos/.gitkeep
--- a/repositories/ubuntu/.gitkeep
+++ b/repositories/ubuntu/.gitkeep
--- a/tasks.yaml
+++ b/tasks.yaml
@ -0,0 +1,7 @@
+- role: [primary-controller, controller]
+  stage: post_deployment
+  type: puppet
+  parameters:
+    puppet_manifest: "puppet/manifests/controller_site.pp"
+    puppet_modules: "puppet/modules/:/etc/puppet/modules/"
+    timeout: 3600