From cb7fdb3527eda513554a521e8b594d36c168be3b Mon Sep 17 00:00:00 2001 From: Samuel Walladge Date: Wed, 22 Jun 2022 14:19:20 +0930 Subject: [PATCH] Support ldap anonymous binding We can support this simply by allowing ldap-user and ldap-password configuration options to be optional. Closes-Bug: #1762587 Co-authored-by: Vern Hart Change-Id: I2668d90a58aac9d103240dc67061612358a67150 --- src/README.md | 6 ++++-- src/config.yaml | 7 +++++-- src/lib/charm/openstack/keystone_ldap.py | 2 -- src/templates/keystone.conf | 2 ++ unit_tests/test_lib_charm_openstack_keystone_ldap.py | 2 -- 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/README.md b/src/README.md index efa9391..732a6fe 100644 --- a/src/README.md +++ b/src/README.md @@ -73,7 +73,8 @@ A file-based configuration can be added post-deploy in this way: #### `ldap-password` The `ldap-password` option supplies the password associated with the LDAP user -(given by option `ldap-user`). +(given by option `ldap-user`). For anonymous binding, leave ldap-password and +ldap-user blank. #### `ldap-server` @@ -117,7 +118,8 @@ The `ldap-suffix` option states the LDAP server suffix to be used by Keystone. #### `ldap-user` The `ldap-user` option states the username (Distinguished Name) used to bind to -the LDAP server (given by option `ldap-server`). +the LDAP server (given by option `ldap-server`). For anonymous binding, leave +ldap-user and ldap-password blank. # Deployment diff --git a/src/config.yaml b/src/config.yaml index 0712b5c..3719037 100644 --- a/src/config.yaml +++ b/src/config.yaml @@ -26,12 +26,15 @@ options: default: description: | Username (Distinguished Name) used to bind to LDAP identity server. - . + For anonymous binding, leave ldap-user and ldap-password empty. + Example: cn=admin,dc=test,dc=com ldap-password: type: string default: - description: Password of the LDAP identity server. + description: | + Password of the LDAP identity server. + For anonymous binding, leave ldap-user and ldap-password empty. ldap-suffix: type: string default: diff --git a/src/lib/charm/openstack/keystone_ldap.py b/src/lib/charm/openstack/keystone_ldap.py index f161efb..b5ab5a6 100644 --- a/src/lib/charm/openstack/keystone_ldap.py +++ b/src/lib/charm/openstack/keystone_ldap.py @@ -133,8 +133,6 @@ class KeystoneLDAPCharm(charms_openstack.charm.OpenStackCharm): """ required_config = { 'ldap_server': hookenv.config('ldap-server'), - 'ldap_user': hookenv.config('ldap-user'), - 'ldap_password': hookenv.config('ldap-password'), 'ldap_suffix': hookenv.config('ldap-suffix'), } diff --git a/src/templates/keystone.conf b/src/templates/keystone.conf index 8f70bda..56896d7 100644 --- a/src/templates/keystone.conf +++ b/src/templates/keystone.conf @@ -1,7 +1,9 @@ [ldap] url = {{ options.ldap_server }} +{% if options.ldap_user and options.ldap_password -%} user = {{ options.ldap_user }} password = {{ options.ldap_password }} +{% endif -%} suffix = {{ options.ldap_suffix }} user_allow_create = {{ not options.ldap_readonly }} diff --git a/unit_tests/test_lib_charm_openstack_keystone_ldap.py b/unit_tests/test_lib_charm_openstack_keystone_ldap.py index 31280cd..bca560b 100644 --- a/unit_tests/test_lib_charm_openstack_keystone_ldap.py +++ b/unit_tests/test_lib_charm_openstack_keystone_ldap.py @@ -32,8 +32,6 @@ class TestKeystoneLDAPCharm(Helper): def test_required_configuration(self, config): reply = { 'ldap-server': 'myserver', - 'ldap-user': 'myusername', - 'ldap-password': 'mypassword', 'ldap-suffix': 'suffix' }