openstack
/
puppet-keystone
Code Issues Proposed changes

Add a LDAP param group_members_are_ids 

Enable this option if the members of the group
object class are keystone user IDs rather than LDAP DNs.
This is thecase when using posixGroup as the group object
class in Open Directory.

Closes-Bug: #1805801

Change-Id: I46ec675fb959c5d1b8f9cbf300e480026e803a66
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
This commit is contained in:
Cyril Lopez 2018-11-29 11:20:18 +01:00 committed by Emilien Macchi
parent 7ecf923c0c
commit fa21938135
5 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
manifests/ldap.pp
View File

@ -256,6 +256,10 @@
# LDAP attribute mapped to show group membership. (string value)
# Defaults to 'undef'
#
# [*group_members_are_ids*]
# LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
# Defaults to 'undef'
#
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to 'undef'
@ -418,6 +422,7 @@ class keystone::ldap(
$group_id_attribute = undef,
$group_name_attribute = undef,
$group_member_attribute = undef,
$group_members_are_ids = undef,
$group_desc_attribute = undef,
$group_attribute_ignore = undef,
$group_additional_attribute_mapping = undef,
@ -512,6 +517,7 @@ class keystone::ldap(
'ldap/group_id_attribute': value => $group_id_attribute;
'ldap/group_name_attribute': value => $group_name_attribute;
'ldap/group_member_attribute': value => $group_member_attribute;
'ldap/group_members_are_ids': value => $group_members_are_ids;
'ldap/group_desc_attribute': value => $group_desc_attribute;
'ldap/group_attribute_ignore': value => $group_attribute_ignore;
'ldap/group_additional_attribute_mapping': value => $group_additional_attribute_mapping;

6
manifests/ldap_backend.pp
View File

@ -271,6 +271,10 @@
# LDAP attribute mapped to show group membership. (string value)
# Defaults to 'undef'
#
# [*group_members_are_ids*]
# LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
# Defaults to 'undef'
#
# [*group_desc_attribute*]
# LDAP attribute mapped to group description. (string value)
# Defaults to 'undef'
@ -451,6 +455,7 @@ define keystone::ldap_backend(
$group_id_attribute = undef,
$group_name_attribute = undef,
$group_member_attribute = undef,
$group_members_are_ids = undef,
$group_desc_attribute = undef,
$group_attribute_ignore = undef,
$group_allow_create = undef,
@ -575,6 +580,7 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
"${domain}::ldap/group_id_attribute": value => $group_id_attribute;
"${domain}::ldap/group_name_attribute": value => $group_name_attribute;
"${domain}::ldap/group_member_attribute": value => $group_member_attribute;
"${domain}::ldap/group_members_are_ids": value => $group_members_are_ids;
"${domain}::ldap/group_desc_attribute": value => $group_desc_attribute;
"${domain}::ldap/group_attribute_ignore": value => $group_attribute_ignore;
"${domain}::ldap/group_allow_create": value => $group_allow_create;

7
releasenotes/notes/add-group_members_are_ids-7decbef235d0afd8.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
In Keystone, we can set group_members_are_ids option. This parameter enables
the members of the group object class to be keystone user IDs
rather than LDAP DNs. This is the case when using posixGroup as the group
object class in Open Directory.

2
spec/classes/keystone_ldap_spec.rb
View File

@ -60,6 +60,7 @@ describe 'keystone::ldap' do
:group_id_attribute => 'cn',
:group_name_attribute => 'cn',
:group_member_attribute => 'roleOccupant',
:group_members_are_ids => 'True',
:group_desc_attribute => 'description',
:group_attribute_ignore => '',
:group_additional_attribute_mapping => '',
@ -147,6 +148,7 @@ describe 'keystone::ldap' do
is_expected.to contain_keystone_config('ldap/group_objectclass').with_value('organizationalRole')
is_expected.to contain_keystone_config('ldap/group_id_attribute').with_value('cn')
is_expected.to contain_keystone_config('ldap/group_member_attribute').with_value('roleOccupant')
is_expected.to contain_keystone_config('ldap/group_members_are_ids').with_value('True')
is_expected.to contain_keystone_config('ldap/group_desc_attribute').with_value('description')
is_expected.to contain_keystone_config('ldap/group_name_attribute').with_value('cn')
is_expected.to contain_keystone_config('ldap/group_attribute_ignore').with_value('')

2
spec/defines/keystone_ldap_backend_spec.rb
View File

@ -77,6 +77,7 @@ describe 'keystone::ldap_backend' do
:group_id_attribute => 'cn',
:group_name_attribute => 'cn',
:group_member_attribute => 'roleOccupant',
:group_members_are_ids => 'True',
:group_desc_attribute => 'description',
:group_attribute_ignore => '',
:group_allow_create => 'False',
@ -171,6 +172,7 @@ describe 'keystone::ldap_backend' do
is_expected.to contain_keystone_domain_config('Default::ldap/group_objectclass').with_value('organizationalRole')
is_expected.to contain_keystone_domain_config('Default::ldap/group_id_attribute').with_value('cn')
is_expected.to contain_keystone_domain_config('Default::ldap/group_member_attribute').with_value('roleOccupant')
is_expected.to contain_keystone_domain_config('Default::ldap/group_members_are_ids').with_value('True')
is_expected.to contain_keystone_domain_config('Default::ldap/group_desc_attribute').with_value('description')
is_expected.to contain_keystone_domain_config('Default::ldap/group_name_attribute').with_value('cn')
is_expected.to contain_keystone_domain_config('Default::ldap/group_attribute_ignore').with_value('')