LDAP intergation

This patch adds support LDAP as authentication backend

Change-Id: Ic6d04450dcdc68c41aa503370fcc347c894f0093
This commit is contained in:
Sergey Reshetnyak 2017-02-20 18:57:54 +03:00
parent 6024c6d218
commit 49c835ec09
6 changed files with 63 additions and 2 deletions

View File

@ -7,14 +7,16 @@ RUN apt-get install -y --no-install-recommends \
apache2 \
libapache2-mod-wsgi \
mysql-client \
libldap2-dev \
libsasl2-dev \
&& echo > /etc/apache2/ports.conf \
&& apt-get clean
{{ copy_sources("openstack/keystone", "/keystone") }}
RUN useradd --user-group keystone \
&& /var/lib/microservices/venv/bin/pip install /keystone \
&& mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
&& /var/lib/microservices/venv/bin/pip install ldappool /keystone \
&& mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /etc/keystone/domains /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
&& cp -r /keystone/etc/* /etc/keystone/ \
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \

View File

@ -15,6 +15,22 @@ configs:
fernet_secret_name: keystone-fernet-keys
ldap:
enabled: false
url: ldap://changeme
user: "dc=Manager,dc=example,dc=com"
suffix: "dc=example,dc=com"
tls:
enabled: false
tls_req_cert: demand
user_tree_dn: "ou=Users,dc=example,dc=com"
user_objectclass: inetOrgPerson
group_tree_dn: "ou=Groups,dc=example,dc=com"
group_objectclass: groupOfNames
notifications:
enable: false
# format can be basic or cadf:
@ -33,6 +49,10 @@ secret_configs:
credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
encrypt_tokens_in_memcached:
secret_key: password
ldap:
password: changeme
tls:
cacert: null
openstack:
user_password: password

View File

@ -26,6 +26,9 @@ provider = fernet
[assignment]
driver = sql
[identity]
domain_specific_drivers_enabled = true
{% if keystone.notifications.enable %}
[oslo_messaging_notifications]
driver = messagingv2

View File

@ -0,0 +1 @@
{{ keystone.ldap.tls.cacert }}

View File

@ -0,0 +1,18 @@
[identity]
driver = ldap
[ldap]
url = {{ keystone.ldap.url }}
user = {{ keystone.ldap.user }}
password = {{ keystone.ldap.password }}
suffix = {{ keystone.ldap.suffix }}
use_tls = {{ keystone.ldap.tls.enabled }}
tls_req_cert = {{ keystone.ldap.tls.tls_req_cert }}
tls_cacertfile = /etc/keystone/ldap_tls_cacert.pem
user_tree_dn = {{ keystone.ldap.user_tree_dn }}
user_objectclass = {{ keystone.ldap.user_objectclass }}
group_tree_dn = {{ keystone.ldap.group_tree_dn }}
group_objectclass = {{ keystone.ldap.group_objectclass }}

View File

@ -79,6 +79,12 @@ service:
# {%- endif %}
files:
- keystone-conf
# {% if keystone.ldap.enabled %}
- keystone-ldap-conf
# {% if keystone.ldap.tls.enabled %}
- keystone-ldap-cacert
# {% endif %}
# {% endif %}
- wsgi-keystone-conf
- credential-key
# {% if keystone.tls.enabled %}
@ -99,6 +105,11 @@ service:
- name: keystone-create-admin-role
type: single
command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
# {% if keystone.ldap.enabled %}
- name: keystone-create-ldap-domain
type: single
command: openstack domain create ldap
# {% endif %}
# {% if keystone.tls.enabled %}
- name: nginx-keystone
@ -116,6 +127,12 @@ files:
keystone-conf:
path: /etc/keystone/keystone.conf
content: keystone.conf.j2
keystone-ldap-conf:
path: /etc/keystone/domains/keystone.ldap.conf
content: keystone.ldap.conf.j2
keystone-ldap-cacert:
path: /etc/keystone/ldap_tls_cacert.pem
content: keystone.ldap.cacert.j2
wsgi-keystone-conf:
path: /etc/apache2/conf-enabled/wsgi-keystone.conf
content: wsgi-keystone.conf.j2