Documentation for complex LDAP options

LDAP configurations can be quite complex. ldap-config-flags provides
the mechanism to pass arbitrary configuration options to keystone to
interact with LDAP.

The original documentation only mentions a comma delimited string.
However, the code can handle much more complicated real world
requirements as long as they are in a string format it can consume.

This change documents the specific string format for a complex real
world example both in the README and in config.yaml.

Change-Id: If95eae2a8560d9feeaff66fbe52cab6b2593f5cf
Closes-bug: #1674841
This commit is contained in:
David Ames 2017-03-23 15:58:09 -07:00
parent f6ad47dd72
commit 1fc65c7b82
3 changed files with 50 additions and 7 deletions

View File

@ -30,14 +30,44 @@ you can change this using the domain-name option:
The keystone charm will automatically create a domain to support the backend
once deployed.
Additional LDAP configuration options can be passed as a comma delimited
string using the ldap-config-flags configuration option:
LDAP configurations can be quite complex. The ldap-config-flags configuration
option provides the mechanism to pass arbitrary configuration options to
keystone in order to handle any given LDAP backend's specific requirements.
For very simple LDAP configurations a string of comma delimited key=value pairs
can be used:
juju config keystone-ldap \
ldap-config-flags="user_id_attribute=cn,user_name_attribute=cn"
This allows the LDAP configuration of the backend to be tailored to an
individual LDAP configuration.
For more complex configurations such as working with Active Directory use
a configuration yaml file.
juju config keystone-ldap --file flags-config.yaml
Where flags-config.yaml has the contents similar to the following. The
ldap-config-flags value uses a json like string for the key value pairs:
keystone-ldap:
ldap-config-flags: "{
user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
user_filter: '(memberOf=CN=users-cn,OU=Groups,DC=dc1,DC=ad,DC=example,DC=com)',
query_scope: sub,
user_objectclass: person,
user_name_attribute: sAMAccountName,
user_id_attribute: sAMAccountName,
user_mail_attribute: mail,
user_enabled_attribute: userAccountControl,
user_enabled_mask: 2,
user_enabled_default: 512,
user_attribute_ignore: 'password,tenant_id,tenants',
user_allow_create: False,
user_allow_update: False,
user_allow_delete: False,
}"
Note: The double quotes and braces around the whole string. And single quotes
around the individual complex values.
# Bugs

View File

@ -22,7 +22,16 @@ options:
ldap-config-flags:
type: string
default:
description: comma sperated options for LDAP configuration.
description: |
Additional LDAP configuration options.
For simple configurations use a comma separated string of key=value pairs.
"user_allow_create=False, user_allow_update=False, user_allow_delete=False"
For more complex configurations use a json like string with double quotes
and braces around all the options and single quotes around complex values.
"{user_tree_dn: 'DC=dc1,DC=ad,DC=example,DC=com',
user_allow_create: False,
user_allow_delete: False}"
See the README for more details.
ldap-readonly:
type: boolean
default: True

View File

@ -143,9 +143,13 @@ class KeystoneLDAPCharmDeployment(amulet_deployment.OpenStackAmuletDeployment):
domain_users = client.users.list(
domain=client.domains.find(name=domain).id
)
usernames = []
for user in domain_users:
usernames.append(user.name)
if username.lower() == user.name.lower():
return user
u.log.debug("The user {} was not in these users: {}. Returning None."
"".format(username, usernames))
return None
def test_100_keystone_ldap_users(self):
@ -158,8 +162,8 @@ class KeystoneLDAPCharmDeployment(amulet_deployment.OpenStackAmuletDeployment):
# NOTE(jamespage): Test fixture should have johndoe and janedoe
# accounts
johndoe = self.find_keystone_v3_user(self.keystone,
'johndoe', 'keystone-ldap')
'john doe', 'userdomain')
assert johndoe is not None
janedoe = self.find_keystone_v3_user(self.keystone,
'janedoe', 'keystone-ldap')
'jane doe', 'userdomain')
assert janedoe is not None