LDAP intergation
This patch adds support LDAP as authentication backend Change-Id: Ic6d04450dcdc68c41aa503370fcc347c894f0093
This commit is contained in:
parent
6024c6d218
commit
49c835ec09
|
@ -7,14 +7,16 @@ RUN apt-get install -y --no-install-recommends \
|
|||
apache2 \
|
||||
libapache2-mod-wsgi \
|
||||
mysql-client \
|
||||
libldap2-dev \
|
||||
libsasl2-dev \
|
||||
&& echo > /etc/apache2/ports.conf \
|
||||
&& apt-get clean
|
||||
|
||||
{{ copy_sources("openstack/keystone", "/keystone") }}
|
||||
|
||||
RUN useradd --user-group keystone \
|
||||
&& /var/lib/microservices/venv/bin/pip install /keystone \
|
||||
&& mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
|
||||
&& /var/lib/microservices/venv/bin/pip install ldappool /keystone \
|
||||
&& mkdir -p /etc/keystone/fernet-keys /etc/keystone/credential-keys /etc/keystone/domains /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
|
||||
&& cp -r /keystone/etc/* /etc/keystone/ \
|
||||
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
|
||||
&& cp /var/lib/microservices/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/public \
|
||||
|
|
|
@ -15,6 +15,22 @@ configs:
|
|||
|
||||
fernet_secret_name: keystone-fernet-keys
|
||||
|
||||
ldap:
|
||||
enabled: false
|
||||
url: ldap://changeme
|
||||
user: "dc=Manager,dc=example,dc=com"
|
||||
suffix: "dc=example,dc=com"
|
||||
|
||||
tls:
|
||||
enabled: false
|
||||
tls_req_cert: demand
|
||||
|
||||
user_tree_dn: "ou=Users,dc=example,dc=com"
|
||||
user_objectclass: inetOrgPerson
|
||||
|
||||
group_tree_dn: "ou=Groups,dc=example,dc=com"
|
||||
group_objectclass: groupOfNames
|
||||
|
||||
notifications:
|
||||
enable: false
|
||||
# format can be basic or cadf:
|
||||
|
@ -33,6 +49,10 @@ secret_configs:
|
|||
credential_key: "2jjLrgOLvI-wj7g-8058SSCw0-ZnL4Ghg5cLuBirxL8="
|
||||
encrypt_tokens_in_memcached:
|
||||
secret_key: password
|
||||
ldap:
|
||||
password: changeme
|
||||
tls:
|
||||
cacert: null
|
||||
|
||||
openstack:
|
||||
user_password: password
|
||||
|
|
|
@ -26,6 +26,9 @@ provider = fernet
|
|||
[assignment]
|
||||
driver = sql
|
||||
|
||||
[identity]
|
||||
domain_specific_drivers_enabled = true
|
||||
|
||||
{% if keystone.notifications.enable %}
|
||||
[oslo_messaging_notifications]
|
||||
driver = messagingv2
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
{{ keystone.ldap.tls.cacert }}
|
|
@ -0,0 +1,18 @@
|
|||
[identity]
|
||||
driver = ldap
|
||||
|
||||
[ldap]
|
||||
url = {{ keystone.ldap.url }}
|
||||
user = {{ keystone.ldap.user }}
|
||||
password = {{ keystone.ldap.password }}
|
||||
suffix = {{ keystone.ldap.suffix }}
|
||||
|
||||
use_tls = {{ keystone.ldap.tls.enabled }}
|
||||
tls_req_cert = {{ keystone.ldap.tls.tls_req_cert }}
|
||||
tls_cacertfile = /etc/keystone/ldap_tls_cacert.pem
|
||||
|
||||
user_tree_dn = {{ keystone.ldap.user_tree_dn }}
|
||||
user_objectclass = {{ keystone.ldap.user_objectclass }}
|
||||
|
||||
group_tree_dn = {{ keystone.ldap.group_tree_dn }}
|
||||
group_objectclass = {{ keystone.ldap.group_objectclass }}
|
|
@ -79,6 +79,12 @@ service:
|
|||
# {%- endif %}
|
||||
files:
|
||||
- keystone-conf
|
||||
# {% if keystone.ldap.enabled %}
|
||||
- keystone-ldap-conf
|
||||
# {% if keystone.ldap.tls.enabled %}
|
||||
- keystone-ldap-cacert
|
||||
# {% endif %}
|
||||
# {% endif %}
|
||||
- wsgi-keystone-conf
|
||||
- credential-key
|
||||
# {% if keystone.tls.enabled %}
|
||||
|
@ -99,6 +105,11 @@ service:
|
|||
- name: keystone-create-admin-role
|
||||
type: single
|
||||
command: openstack role add {{ openstack.role_name }} --user {{ openstack.user_name }} --domain default
|
||||
# {% if keystone.ldap.enabled %}
|
||||
- name: keystone-create-ldap-domain
|
||||
type: single
|
||||
command: openstack domain create ldap
|
||||
# {% endif %}
|
||||
|
||||
# {% if keystone.tls.enabled %}
|
||||
- name: nginx-keystone
|
||||
|
@ -116,6 +127,12 @@ files:
|
|||
keystone-conf:
|
||||
path: /etc/keystone/keystone.conf
|
||||
content: keystone.conf.j2
|
||||
keystone-ldap-conf:
|
||||
path: /etc/keystone/domains/keystone.ldap.conf
|
||||
content: keystone.ldap.conf.j2
|
||||
keystone-ldap-cacert:
|
||||
path: /etc/keystone/ldap_tls_cacert.pem
|
||||
content: keystone.ldap.cacert.j2
|
||||
wsgi-keystone-conf:
|
||||
path: /etc/apache2/conf-enabled/wsgi-keystone.conf
|
||||
content: wsgi-keystone.conf.j2
|
||||
|
|
Loading…
Reference in New Issue