Merge "Add a LDAP param group_members_are_ids"

manifests/ldap.pp

@@ -256,6 +256,10 @@
 #   LDAP attribute mapped to show group membership. (string value)
 #   Defaults to 'undef'
 #
+# [*group_members_are_ids*]
+#   LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
+#   Defaults to 'undef'
+#
 # [*group_desc_attribute*]
 #   LDAP attribute mapped to group description. (string value)
 #   Defaults to 'undef'
@@ -418,6 +422,7 @@ class keystone::ldap(
   $group_id_attribute                   = undef,
   $group_name_attribute                 = undef,
   $group_member_attribute               = undef,
+  $group_members_are_ids                = undef,
   $group_desc_attribute                 = undef,
   $group_attribute_ignore               = undef,
   $group_additional_attribute_mapping   = undef,
@@ -512,6 +517,7 @@ class keystone::ldap(
     'ldap/group_id_attribute':                   value => $group_id_attribute;
     'ldap/group_name_attribute':                 value => $group_name_attribute;
     'ldap/group_member_attribute':               value => $group_member_attribute;
+    'ldap/group_members_are_ids':                value => $group_members_are_ids;
     'ldap/group_desc_attribute':                 value => $group_desc_attribute;
     'ldap/group_attribute_ignore':               value => $group_attribute_ignore;
     'ldap/group_additional_attribute_mapping':   value => $group_additional_attribute_mapping;

manifests/ldap_backend.pp

@@ -271,6 +271,10 @@
 #   LDAP attribute mapped to show group membership. (string value)
 #   Defaults to 'undef'
 #
+# [*group_members_are_ids*]
+#   LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
+#   Defaults to 'undef'
+#
 # [*group_desc_attribute*]
 #   LDAP attribute mapped to group description. (string value)
 #   Defaults to 'undef'
@@ -451,6 +455,7 @@ define keystone::ldap_backend(
   $group_id_attribute                   = undef,
   $group_name_attribute                 = undef,
   $group_member_attribute               = undef,
+  $group_members_are_ids                = undef,
   $group_desc_attribute                 = undef,
   $group_attribute_ignore               = undef,
   $group_allow_create                   = undef,
@@ -575,6 +580,7 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
     "${domain}::ldap/group_id_attribute":                   value => $group_id_attribute;
     "${domain}::ldap/group_name_attribute":                 value => $group_name_attribute;
     "${domain}::ldap/group_member_attribute":               value => $group_member_attribute;
+    "${domain}::ldap/group_members_are_ids":                value => $group_members_are_ids;
     "${domain}::ldap/group_desc_attribute":                 value => $group_desc_attribute;
     "${domain}::ldap/group_attribute_ignore":               value => $group_attribute_ignore;
     "${domain}::ldap/group_allow_create":                   value => $group_allow_create;

releasenotes/notes/add-group_members_are_ids-7decbef235d0afd8.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    In Keystone, we can set group_members_are_ids option. This parameter enables
+    the members of the group object class to be keystone user IDs
+    rather than LDAP DNs. This is the case when using posixGroup as the group
+    object class in Open Directory.

spec/classes/keystone_ldap_spec.rb

@@ -60,6 +60,7 @@ describe 'keystone::ldap' do
         :group_id_attribute                   => 'cn',
         :group_name_attribute                 => 'cn',
         :group_member_attribute               => 'roleOccupant',
+        :group_members_are_ids                => 'True',
         :group_desc_attribute                 => 'description',
         :group_attribute_ignore               => '',
         :group_additional_attribute_mapping   => '',
@@ -147,6 +148,7 @@ describe 'keystone::ldap' do
       is_expected.to contain_keystone_config('ldap/group_objectclass').with_value('organizationalRole')
       is_expected.to contain_keystone_config('ldap/group_id_attribute').with_value('cn')
       is_expected.to contain_keystone_config('ldap/group_member_attribute').with_value('roleOccupant')
+      is_expected.to contain_keystone_config('ldap/group_members_are_ids').with_value('True')
       is_expected.to contain_keystone_config('ldap/group_desc_attribute').with_value('description')
       is_expected.to contain_keystone_config('ldap/group_name_attribute').with_value('cn')
       is_expected.to contain_keystone_config('ldap/group_attribute_ignore').with_value('')

spec/defines/keystone_ldap_backend_spec.rb

@@ -77,6 +77,7 @@ describe 'keystone::ldap_backend' do
           :group_id_attribute                   => 'cn',
           :group_name_attribute                 => 'cn',
           :group_member_attribute               => 'roleOccupant',
+          :group_members_are_ids                => 'True',
           :group_desc_attribute                 => 'description',
           :group_attribute_ignore               => '',
           :group_allow_create                   => 'False',
@@ -171,6 +172,7 @@ describe 'keystone::ldap_backend' do
         is_expected.to contain_keystone_domain_config('Default::ldap/group_objectclass').with_value('organizationalRole')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_id_attribute').with_value('cn')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_member_attribute').with_value('roleOccupant')
+        is_expected.to contain_keystone_domain_config('Default::ldap/group_members_are_ids').with_value('True')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_desc_attribute').with_value('description')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_name_attribute').with_value('cn')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_attribute_ignore').with_value('')