Documentation for complex LDAP options
LDAP configurations can be quite complex. ldap-config-flags provides the mechanism to pass arbitrary configuration options to keystone to interact with LDAP. The original documentation only mentions a comma delimited string. However, the code can handle much more complicated real world requirements as long as they are in a string format it can consume. This change documents the specific string format for a complex real world example both in the README and in config.yaml. Change-Id: If95eae2a8560d9feeaff66fbe52cab6b2593f5cf Closes-bug: #1674841
This commit is contained in:
parent
f6ad47dd72
commit
1fc65c7b82
|
@ -30,14 +30,44 @@ you can change this using the domain-name option:
|
|||
The keystone charm will automatically create a domain to support the backend
|
||||
once deployed.
|
||||
|
||||
Additional LDAP configuration options can be passed as a comma delimited
|
||||
string using the ldap-config-flags configuration option:
|
||||
LDAP configurations can be quite complex. The ldap-config-flags configuration
|
||||
option provides the mechanism to pass arbitrary configuration options to
|
||||
keystone in order to handle any given LDAP backend's specific requirements.
|
||||
|
||||
For very simple LDAP configurations a string of comma delimited key=value pairs
|
||||
can be used:
|
||||
|
||||
juju config keystone-ldap \
|
||||
ldap-config-flags="user_id_attribute=cn,user_name_attribute=cn"
|
||||
|
||||
This allows the LDAP configuration of the backend to be tailored to an
|
||||
individual LDAP configuration.
|
||||
For more complex configurations such as working with Active Directory use
|
||||
a configuration yaml file.
|
||||
|
||||
juju config keystone-ldap --file flags-config.yaml
|
||||
|
||||
Where flags-config.yaml has the contents similar to the following. The
|
||||
ldap-config-flags value uses a json like string for the key value pairs:
|
||||
|
||||
keystone-ldap:
|
||||
ldap-config-flags: "{
|
||||
user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
|
||||
user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)',
|
||||
query_scope: sub,
|
||||
user_objectclass: person,
|
||||
user_name_attribute: sAMAccountName,
|
||||
user_id_attribute: sAMAccountName,
|
||||
user_mail_attribute: mail,
|
||||
user_enabled_attribute: userAccountControl,
|
||||
user_enabled_mask: 2,
|
||||
user_enabled_default: 512,
|
||||
user_attribute_ignore: 'password,tenant_id,tenants',
|
||||
user_allow_create: False,
|
||||
user_allow_update: False,
|
||||
user_allow_delete: False,
|
||||
}"
|
||||
|
||||
Note: The double quotes and braces around the whole string. And single quotes
|
||||
around the individual complex values.
|
||||
|
||||
# Bugs
|
||||
|
||||
|
|
|
@ -22,7 +22,16 @@ options:
|
|||
ldap-config-flags:
|
||||
type: string
|
||||
default:
|
||||
description: comma sperated options for LDAP configuration.
|
||||
description: |
|
||||
Additional LDAP configuration options.
|
||||
For simple configurations use a comma separated string of key=value pairs.
|
||||
"user_allow_create=False, user_allow_update=False, user_allow_delete=False"
|
||||
For more complex configurations use a json like string with double quotes
|
||||
and braces around all the options and single quotes around complex values.
|
||||
"{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
|
||||
user_allow_create: False,
|
||||
user_allow_delete: False}"
|
||||
See the README for more details.
|
||||
ldap-readonly:
|
||||
type: boolean
|
||||
default: True
|
||||
|
|
|
@ -143,9 +143,13 @@ class KeystoneLDAPCharmDeployment(amulet_deployment.OpenStackAmuletDeployment):
|
|||
domain_users = client.users.list(
|
||||
domain=client.domains.find(name=domain).id
|
||||
)
|
||||
usernames = []
|
||||
for user in domain_users:
|
||||
usernames.append(user.name)
|
||||
if username.lower() == user.name.lower():
|
||||
return user
|
||||
u.log.debug("The user {} was not in these users: {}. Returning None."
|
||||
"".format(username, usernames))
|
||||
return None
|
||||
|
||||
def test_100_keystone_ldap_users(self):
|
||||
|
@ -158,8 +162,8 @@ class KeystoneLDAPCharmDeployment(amulet_deployment.OpenStackAmuletDeployment):
|
|||
# NOTE(jamespage): Test fixture should have johndoe and janedoe
|
||||
# accounts
|
||||
johndoe = self.find_keystone_v3_user(self.keystone,
|
||||
'johndoe', 'keystone-ldap')
|
||||
'john doe', 'userdomain')
|
||||
assert johndoe is not None
|
||||
janedoe = self.find_keystone_v3_user(self.keystone,
|
||||
'janedoe', 'keystone-ldap')
|
||||
'jane doe', 'userdomain')
|
||||
assert janedoe is not None
|
||||
|
|
Loading…
Reference in New Issue