keystone ldap plugin initial commit
* Enable domain_specific_drivers in keystone * create keystone domain, specified in plugin settings change identity driver to ldap for this domain * use keystone v3 api in horizon Change-Id: I0f1179c62d0f36dad92c4872f8e85c4a60af418b
This commit is contained in:
parent
6812d55184
commit
80845952bb
|
@ -0,0 +1,2 @@
|
|||
$fuel_settings = parseyaml($astute_settings_yaml)
|
||||
class {'plugin_ldap::controller': }
|
|
@ -0,0 +1,43 @@
|
|||
Puppet::Type.type(:keystone_config).provide(
|
||||
:ini_setting_domain,
|
||||
:parent => Puppet::Type.type(:ini_setting).provider(:ruby)
|
||||
) do
|
||||
|
||||
def elements
|
||||
return @elements if @elements
|
||||
elements = resource[:name].split('/', 3)
|
||||
elements.unshift nil unless elements.length >= 3
|
||||
elements[0] = nil if elements[0] =~ /default/i
|
||||
@elements = {
|
||||
:domain => elements[0],
|
||||
:section => elements[1],
|
||||
:setting => elements[2..-1].join,
|
||||
}
|
||||
end
|
||||
|
||||
def section
|
||||
elements[:section]
|
||||
end
|
||||
|
||||
def setting
|
||||
elements[:setting]
|
||||
end
|
||||
|
||||
def domain
|
||||
elements[:domain]
|
||||
end
|
||||
|
||||
def separator
|
||||
'='
|
||||
end
|
||||
|
||||
# added for backwards compatibility with older versions of inifile
|
||||
def file_path
|
||||
if elements[:domain]
|
||||
"/etc/keystone/domains/keystone.#{@elements[:domain]}.conf"
|
||||
else
|
||||
'/etc/keystone/keystone.conf'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,96 @@
|
|||
class plugin_ldap::controller {
|
||||
|
||||
include ::apache::params
|
||||
|
||||
$management_vip = hiera('management_vip')
|
||||
|
||||
## if AD is used, in order to properly display if account is enabled or disabled
|
||||
## additional parameters need to be set.
|
||||
if $::fuel_settings['ldap']['user_enabled_attribute'] == 'userAccountControl' {
|
||||
$user_enabled_default = 512
|
||||
$user_enabled_mask = 2
|
||||
}
|
||||
|
||||
$identity_driver = 'keystone.identity.backends.ldap.Identity'
|
||||
$url = $::fuel_settings['ldap']['url']
|
||||
$suffix = $::fuel_settings['ldap']['suffix']
|
||||
$user = $::fuel_settings['ldap']['user']
|
||||
$password = $::fuel_settings['ldap']['password']
|
||||
$query_scope = $::fuel_settings['ldap']['query_scope']
|
||||
$user_tree_dn = $::fuel_settings['ldap']['user_tree_dn']
|
||||
$user_filter = $::fuel_settings['ldap']['user_filter']
|
||||
$user_objectclass = $::fuel_settings['ldap']['user_objectclass']
|
||||
$user_id_attribute = $::fuel_settings['ldap']['user_id_attribute']
|
||||
$user_name_attribute = $::fuel_settings['ldap']['user_name_attribute']
|
||||
$user_pass_attribute = $::fuel_settings['ldap']['user_pass_attribute']
|
||||
$user_enabled_attribute = $::fuel_settings['ldap']['user_enabled_attribute']
|
||||
|
||||
$user_allow_create = false
|
||||
$user_allow_update = false
|
||||
$user_allow_delete = false
|
||||
|
||||
$domain = $::fuel_settings['ldap']['domain']
|
||||
|
||||
file { '/etc/keystone/domains':
|
||||
ensure => 'directory',
|
||||
owner => 'keystone',
|
||||
group => 'keystone',
|
||||
mode => '755',
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
"identity/domain_specific_drivers_enabled": value => 'True';
|
||||
}
|
||||
|
||||
Keystone_config {
|
||||
provider => 'ini_setting_domain',
|
||||
}
|
||||
|
||||
keystone_config {
|
||||
"${domain}/identity/driver": value => $identity_driver;
|
||||
"${domain}/ldap/url": value => $url;
|
||||
"${domain}/ldap/suffix": value => $suffix;
|
||||
"${domain}/ldap/user": value => $user;
|
||||
"${domain}/ldap/password": value => $password;
|
||||
"${domain}/ldap/query_scope": value => $query_scope;
|
||||
"${domain}/ldap/user_tree_dn": value => $user_tree_dn;
|
||||
"${domain}/ldap/user_filter": value => $user_filter;
|
||||
"${domain}/ldap/user_objectclass": value => $user_objectclass;
|
||||
"${domain}/ldap/user_id_attribute": value => $user_id_attribute;
|
||||
"${domain}/ldap/user_name_attribute": value => $user_name_attribute;
|
||||
"${domain}/ldap/user_pass_attribute": value => $user_pass_attribute;
|
||||
"${domain}/ldap/user_enabled_attribute": value => $user_enabled_attribute;
|
||||
"${domain}/ldap/user_enabled_default": value => $user_enabled_default;
|
||||
"${domain}/ldap/user_enabled_mask": value => $user_enabled_mask;
|
||||
"${domain}/ldap/user_allow_create": value => $user_allow_create;
|
||||
"${domain}/ldap/user_allow_update": value => $user_allow_update;
|
||||
"${domain}/ldap/user_allow_delete": value => $user_allow_delete;
|
||||
} ~>
|
||||
service { 'httpd':
|
||||
name => "$apache::params::service_name",
|
||||
ensure => running,
|
||||
}
|
||||
|
||||
keystone_domain { "${domain}":
|
||||
ensure => present,
|
||||
enabled => true,
|
||||
}
|
||||
|
||||
file_line { 'OPENSTACK_KEYSTONE_URL':
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_KEYSTONE_URL = \"http://${management_vip}:5000/v3/\"",
|
||||
match => "^OPENSTACK_KEYSTONE_URL = .*$",
|
||||
} ~> Service ['httpd']
|
||||
|
||||
file_line { 'OPENSTACK_API_VERSIONS':
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_API_VERSIONS = { \"identity\": 3 }",
|
||||
match => "^# OPENSTACK_API_VERSIONS = {.*$",
|
||||
} ~> Service ['httpd']
|
||||
|
||||
file_line { 'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT':
|
||||
path => '/etc/openstack-dashboard/local_settings.py',
|
||||
line => "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
|
||||
match => "^# OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = .*$",
|
||||
} ~> Service ['httpd']
|
||||
}
|
|
@ -0,0 +1,79 @@
|
|||
attributes:
|
||||
domain:
|
||||
value: ''
|
||||
label: 'LDAP domain'
|
||||
description: 'LDAP domain name'
|
||||
weight: 20
|
||||
type: "text"
|
||||
url:
|
||||
value: ''
|
||||
label: 'LDAP URL'
|
||||
description: 'URL for connecting to the LDAP server.'
|
||||
weight: 25
|
||||
type: "text"
|
||||
suffix:
|
||||
value: 'cn=example,cn=com'
|
||||
label: 'LDAP Suffix'
|
||||
description: 'LDAP server suffix.'
|
||||
weight: 26
|
||||
type: "text"
|
||||
user:
|
||||
value: 'cn=admin,dc=local'
|
||||
label: 'LDAP User'
|
||||
description: 'User BindDN to query the LDAP server.'
|
||||
weight: 30
|
||||
type: "text"
|
||||
password:
|
||||
value: ''
|
||||
label: 'LDAP User Password'
|
||||
description: 'Password for the BindDN to query the LDAP server.'
|
||||
weight: 35
|
||||
type: "password"
|
||||
query_scope:
|
||||
value: 'one'
|
||||
label: 'LDAP Query Scope'
|
||||
description: 'The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).'
|
||||
weight: 40
|
||||
type: "text"
|
||||
user_tree_dn:
|
||||
value: 'ou=Users,dc=example,dc=com'
|
||||
label: 'Users Tree DN'
|
||||
description: 'Search base for users.'
|
||||
weight: 45
|
||||
type: "text"
|
||||
user_filter:
|
||||
value: ''
|
||||
label: 'User Filter'
|
||||
description: 'LDAP search filter for users.'
|
||||
weight: 46
|
||||
type: "text"
|
||||
user_objectclass:
|
||||
value: 'inetOrgPerson'
|
||||
label: 'User Object Class'
|
||||
description: 'LDAP objectclass for users.'
|
||||
weight: 50
|
||||
type: "text"
|
||||
user_id_attribute:
|
||||
value: 'cn'
|
||||
label: 'User ID Attribute'
|
||||
description: 'LDAP attribute mapped to user id.'
|
||||
weight: 55
|
||||
type: "text"
|
||||
user_name_attribute:
|
||||
value: 'sn'
|
||||
label: 'User Name Attribute'
|
||||
description: 'LDAP attribute mapped to user name.'
|
||||
weight: 60
|
||||
type: "text"
|
||||
user_pass_attribute:
|
||||
value: 'userPassword'
|
||||
label: 'User Password Attribute'
|
||||
description: 'LDAP attribute mapped to password.'
|
||||
weight: 65
|
||||
type: "text"
|
||||
user_enabled_attribute:
|
||||
value: 'enabled'
|
||||
label: 'User Enabled/Disabled Attribute'
|
||||
description: 'LDAP attribute mapped to enabled/disabled.'
|
||||
weight: 66
|
||||
type: "text"
|
|
@ -0,0 +1,16 @@
|
|||
name: ldap
|
||||
title: LDAP plugin for Keystone
|
||||
version: '1.0.0'
|
||||
description: Enable to use LDAP authentication backend for Keystone
|
||||
fuel_version: ['7.0']
|
||||
licenses: ['Apache License Version 2.0']
|
||||
authors: ['Mirantis']
|
||||
homepage: 'https://github.com/stackforge/fuel-plugin-ldap'
|
||||
groups: ['network']
|
||||
releases:
|
||||
- os: ubuntu
|
||||
version: 2015.1-7.0
|
||||
mode: ['ha', 'multinode']
|
||||
deployment_scripts_path: deployment_scripts/
|
||||
repository_path: repositories/ubuntu
|
||||
package_version: '2.0.0'
|
|
@ -0,0 +1,7 @@
|
|||
- role: [primary-controller, controller]
|
||||
stage: post_deployment
|
||||
type: puppet
|
||||
parameters:
|
||||
puppet_manifest: "puppet/manifests/controller_site.pp"
|
||||
puppet_modules: "puppet/modules/:/etc/puppet/modules/"
|
||||
timeout: 3600
|
Loading…
Reference in New Issue