From fa219381358d91567eb82a9e9c3cdfce64946c15 Mon Sep 17 00:00:00 2001
From: Cyril Lopez <cylopez@redhat.com>
Date: Thu, 29 Nov 2018 11:20:18 +0100
Subject: [PATCH] Add a LDAP param group_members_are_ids

Enable this option if the members of the group
object class are keystone user IDs rather than LDAP DNs.
This is thecase when using posixGroup as the group object
class in Open Directory.

Closes-Bug: #1805801

Change-Id: I46ec675fb959c5d1b8f9cbf300e480026e803a66
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
---
 manifests/ldap.pp                                          | 6 ++++++
 manifests/ldap_backend.pp                                  | 6 ++++++
 .../notes/add-group_members_are_ids-7decbef235d0afd8.yaml  | 7 +++++++
 spec/classes/keystone_ldap_spec.rb                         | 2 ++
 spec/defines/keystone_ldap_backend_spec.rb                 | 2 ++
 5 files changed, 23 insertions(+)
 create mode 100644 releasenotes/notes/add-group_members_are_ids-7decbef235d0afd8.yaml

diff --git a/manifests/ldap.pp b/manifests/ldap.pp
index 41fbe703e..60fa37689 100644
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@@ -256,6 +256,10 @@
 #   LDAP attribute mapped to show group membership. (string value)
 #   Defaults to 'undef'
 #
+# [*group_members_are_ids*]
+#   LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
+#   Defaults to 'undef'
+#
 # [*group_desc_attribute*]
 #   LDAP attribute mapped to group description. (string value)
 #   Defaults to 'undef'
@@ -418,6 +422,7 @@ class keystone::ldap(
   $group_id_attribute                   = undef,
   $group_name_attribute                 = undef,
   $group_member_attribute               = undef,
+  $group_members_are_ids                = undef,
   $group_desc_attribute                 = undef,
   $group_attribute_ignore               = undef,
   $group_additional_attribute_mapping   = undef,
@@ -512,6 +517,7 @@ class keystone::ldap(
     'ldap/group_id_attribute':                   value => $group_id_attribute;
     'ldap/group_name_attribute':                 value => $group_name_attribute;
     'ldap/group_member_attribute':               value => $group_member_attribute;
+    'ldap/group_members_are_ids':                value => $group_members_are_ids;
     'ldap/group_desc_attribute':                 value => $group_desc_attribute;
     'ldap/group_attribute_ignore':               value => $group_attribute_ignore;
     'ldap/group_additional_attribute_mapping':   value => $group_additional_attribute_mapping;
diff --git a/manifests/ldap_backend.pp b/manifests/ldap_backend.pp
index 5910a6b7f..5ee5d2d00 100644
--- a/manifests/ldap_backend.pp
+++ b/manifests/ldap_backend.pp
@@ -271,6 +271,10 @@
 #   LDAP attribute mapped to show group membership. (string value)
 #   Defaults to 'undef'
 #
+# [*group_members_are_ids*]
+#   LDAP attribute when members of the group object class are keystone user IDs. (boolean value)
+#   Defaults to 'undef'
+#
 # [*group_desc_attribute*]
 #   LDAP attribute mapped to group description. (string value)
 #   Defaults to 'undef'
@@ -451,6 +455,7 @@ define keystone::ldap_backend(
   $group_id_attribute                   = undef,
   $group_name_attribute                 = undef,
   $group_member_attribute               = undef,
+  $group_members_are_ids                = undef,
   $group_desc_attribute                 = undef,
   $group_attribute_ignore               = undef,
   $group_allow_create                   = undef,
@@ -575,6 +580,7 @@ and \"${domain_dir_enabled}\" for identity/domain_config_dir"
     "${domain}::ldap/group_id_attribute":                   value => $group_id_attribute;
     "${domain}::ldap/group_name_attribute":                 value => $group_name_attribute;
     "${domain}::ldap/group_member_attribute":               value => $group_member_attribute;
+    "${domain}::ldap/group_members_are_ids":                value => $group_members_are_ids;
     "${domain}::ldap/group_desc_attribute":                 value => $group_desc_attribute;
     "${domain}::ldap/group_attribute_ignore":               value => $group_attribute_ignore;
     "${domain}::ldap/group_allow_create":                   value => $group_allow_create;
diff --git a/releasenotes/notes/add-group_members_are_ids-7decbef235d0afd8.yaml b/releasenotes/notes/add-group_members_are_ids-7decbef235d0afd8.yaml
new file mode 100644
index 000000000..e800f3379
--- /dev/null
+++ b/releasenotes/notes/add-group_members_are_ids-7decbef235d0afd8.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    In Keystone, we can set group_members_are_ids option. This parameter enables
+    the members of the group object class to be keystone user IDs
+    rather than LDAP DNs. This is the case when using posixGroup as the group
+    object class in Open Directory.
diff --git a/spec/classes/keystone_ldap_spec.rb b/spec/classes/keystone_ldap_spec.rb
index 2869e775e..6bdc9cf63 100644
--- a/spec/classes/keystone_ldap_spec.rb
+++ b/spec/classes/keystone_ldap_spec.rb
@@ -60,6 +60,7 @@ describe 'keystone::ldap' do
         :group_id_attribute                   => 'cn',
         :group_name_attribute                 => 'cn',
         :group_member_attribute               => 'roleOccupant',
+        :group_members_are_ids                => 'True',
         :group_desc_attribute                 => 'description',
         :group_attribute_ignore               => '',
         :group_additional_attribute_mapping   => '',
@@ -147,6 +148,7 @@ describe 'keystone::ldap' do
       is_expected.to contain_keystone_config('ldap/group_objectclass').with_value('organizationalRole')
       is_expected.to contain_keystone_config('ldap/group_id_attribute').with_value('cn')
       is_expected.to contain_keystone_config('ldap/group_member_attribute').with_value('roleOccupant')
+      is_expected.to contain_keystone_config('ldap/group_members_are_ids').with_value('True')
       is_expected.to contain_keystone_config('ldap/group_desc_attribute').with_value('description')
       is_expected.to contain_keystone_config('ldap/group_name_attribute').with_value('cn')
       is_expected.to contain_keystone_config('ldap/group_attribute_ignore').with_value('')
diff --git a/spec/defines/keystone_ldap_backend_spec.rb b/spec/defines/keystone_ldap_backend_spec.rb
index 18f5ef607..e88ab4424 100644
--- a/spec/defines/keystone_ldap_backend_spec.rb
+++ b/spec/defines/keystone_ldap_backend_spec.rb
@@ -77,6 +77,7 @@ describe 'keystone::ldap_backend' do
           :group_id_attribute                   => 'cn',
           :group_name_attribute                 => 'cn',
           :group_member_attribute               => 'roleOccupant',
+          :group_members_are_ids                => 'True',
           :group_desc_attribute                 => 'description',
           :group_attribute_ignore               => '',
           :group_allow_create                   => 'False',
@@ -171,6 +172,7 @@ describe 'keystone::ldap_backend' do
         is_expected.to contain_keystone_domain_config('Default::ldap/group_objectclass').with_value('organizationalRole')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_id_attribute').with_value('cn')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_member_attribute').with_value('roleOccupant')
+        is_expected.to contain_keystone_domain_config('Default::ldap/group_members_are_ids').with_value('True')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_desc_attribute').with_value('description')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_name_attribute').with_value('cn')
         is_expected.to contain_keystone_domain_config('Default::ldap/group_attribute_ignore').with_value('')