openstack/charm-keystone-ldap
Code Issues Proposed changes

Support ldap anonymous binding

Browse Source 
We can support this simply by allowing ldap-user and ldap-password
configuration options to be optional.

Closes-Bug: #1762587

Co-authored-by: Vern Hart <vern.hart@canonical.com>

Change-Id: I2668d90a58aac9d103240dc67061612358a67150
This commit is contained in:
Samuel Walladge
2022-06-22 14:19:20 +09:30
parent c712bf74ee
commit cb7fdb3527
5 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/README.md
View File

@@ -73,7 +73,8 @@ A file-based configuration can be added post-deploy in this way:
#### `ldap-password` #### `ldap-password`
The `ldap-password` option supplies the password associated with the LDAP user The `ldap-password` option supplies the password associated with the LDAP user
(given by option `ldap-user`). (given by option `ldap-user`). For anonymous binding, leave ldap-password and
ldap-user blank.
#### `ldap-server` #### `ldap-server`
@@ -117,7 +118,8 @@ The `ldap-suffix` option states the LDAP server suffix to be used by Keystone.
#### `ldap-user` #### `ldap-user`
The `ldap-user` option states the username (Distinguished Name) used to bind to The `ldap-user` option states the username (Distinguished Name) used to bind to
the LDAP server (given by option `ldap-server`). the LDAP server (given by option `ldap-server`). For anonymous binding, leave
ldap-user and ldap-password blank.
# Deployment # Deployment

7
src/config.yaml
View File

@@ -26,12 +26,15 @@ options:
default: default:
description: | description: |
Username (Distinguished Name) used to bind to LDAP identity server. Username (Distinguished Name) used to bind to LDAP identity server.
. For anonymous binding, leave ldap-user and ldap-password empty.
Example: cn=admin,dc=test,dc=com Example: cn=admin,dc=test,dc=com
ldap-password: ldap-password:
type: string type: string
default: default:
description: Password of the LDAP identity server. description: |
Password of the LDAP identity server.
For anonymous binding, leave ldap-user and ldap-password empty.
ldap-suffix: ldap-suffix:
type: string type: string
default: default:

2
src/lib/charm/openstack/keystone_ldap.py
View File

@@ -133,8 +133,6 @@ class KeystoneLDAPCharm(charms_openstack.charm.OpenStackCharm):
""" """
required_config = { required_config = {
'ldap_server': hookenv.config('ldap-server'), 'ldap_server': hookenv.config('ldap-server'),
'ldap_user': hookenv.config('ldap-user'),
'ldap_password': hookenv.config('ldap-password'),
'ldap_suffix': hookenv.config('ldap-suffix'), 'ldap_suffix': hookenv.config('ldap-suffix'),
} }

2
src/templates/keystone.conf
View File

@@ -1,7 +1,9 @@
[ldap] [ldap]
url = {{ options.ldap_server }} url = {{ options.ldap_server }}
{% if options.ldap_user and options.ldap_password -%}
user = {{ options.ldap_user }} user = {{ options.ldap_user }}
password = {{ options.ldap_password }} password = {{ options.ldap_password }}
{% endif -%}
suffix = {{ options.ldap_suffix }} suffix = {{ options.ldap_suffix }}
user_allow_create = {{ not options.ldap_readonly }} user_allow_create = {{ not options.ldap_readonly }}

2
unit_tests/test_lib_charm_openstack_keystone_ldap.py
View File

@@ -32,8 +32,6 @@ class TestKeystoneLDAPCharm(Helper):
def test_required_configuration(self, config): def test_required_configuration(self, config):
reply = { reply = {
'ldap-server': 'myserver', 'ldap-server': 'myserver',
'ldap-user': 'myusername',
'ldap-password': 'mypassword',
'ldap-suffix': 'suffix' 'ldap-suffix': 'suffix'
} }