[heut2008,r=hopem]

Added support for Keystone LDAP identity backend

config.yaml

@@ -89,6 +89,38 @@ options:
     description: |
       By default, all services will log into their corresponding log files.
       Setting this to True will force all services to log to the syslog.
+  identity-backend:
+    type: string
+    default: "sql"    
+    description: "Keystone identity backend, valid options are：sql,ldap,kvs,pam"
+  assignment-backend:
+    type: string
+    default: "sql"
+    description: "Keystone assignment backend, valid options are sql,ldap,kvs"
+  ldap-server:
+    type: string
+    default: None
+    description: "Ldap server address for keystone identity backend"
+  ldap-user:
+    type: string
+    default: None
+    description: "Username of the ldap identity server"
+  ldap-password:
+    type: string
+    default: None
+    description: "Password of the ldap identity server"
+  ldap-suffix:
+    type: string
+    default: None
+    description: "Ldap server suffix to be used by keystone"
+  ldap-config-flags:
+    type: string
+    default: None
+    description: "comma sperated options for ldap configuration"
+  ldap-readonly:
+    type: boolean
+    default: True
+    description: "Ldap identity server backend readonly to keystone"
   # HA configuration settings
   vip:
     type: string

hooks/keystone_context.py

@@ -101,6 +101,19 @@ class KeystoneContext(context.OSContextGenerator):
         ctxt['public_port'] = determine_api_port(api_port('keystone-public'))
         ctxt['debug'] = config('debug') in ['yes', 'true', 'True']
         ctxt['verbose'] = config('verbose') in ['yes', 'true', 'True']
+        ctxt['identity_backend'] = config('identity-backend')
+        ctxt['assignment_backend'] = config('assignment-backend')
+        if config('identity-backend') == 'ldap':
+            ctxt['ldap_server'] = config('ldap-server')
+            ctxt['ldap_user'] = config('ldap-user')
+            ctxt['ldap_password'] = config('ldap-password')
+            ctxt['ldap_suffix'] = config('ldap-suffix')
+            ctxt['ldap_readonly'] = config('ldap-readonly')
+            ldap_flags = config('ldap-config-flags')
+            if ldap_flags:
+                flags = context.config_flags_parser(ldap_flags)
+                ctxt['ldap_config_flags'] = flags
+
         if config('enable-pki') not in ['false', 'False', 'no', 'No']:
             ctxt['signing'] = True
         return ctxt

templates/icehouse/keystone.conf

@@ -21,7 +21,7 @@ connection = sqlite:////var/lib/keystone/keystone.db
 idle_timeout = 200
 
 [identity]
-driver = keystone.identity.backends.sql.Identity
+driver = keystone.identity.backends.{{ identity_backend }}.Identity
 
 [credential]
 driver = keystone.credential.backends.sql.Credential
@@ -49,6 +49,7 @@ driver = keystone.policy.backends.sql.Policy
 driver = keystone.contrib.ec2.backends.sql.Ec2
 
 [assignment]
+driver = keystone.assignment.backends.{{ assignment_backend }}.Assignment
 
 [oauth1]
 
@@ -65,3 +66,35 @@ config_file = keystone-paste.ini
 
 [extra_headers]
 Distribution = Ubuntu
+
+[ldap]
+{% if identity_backend == 'ldap' -%}
+url = {{ ldap_server }}
+user = {{ ldap_user }}
+password = {{ ldap_password }}
+suffix = {{ ldap_suffix }}
+
+{% if ldap_config_flags -%} 
+{% for key, value in ldap_config_flags.iteritems() -%} 
+{{ key }} = {{ value }}
+{% endfor -%} 
+{% endif -%} 
+
+{% if ldap_readonly -%}
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+tenant_allow_create = False
+tenant_allow_update = False
+tenant_allow_delete = False
+
+role_allow_create = False
+role_allow_update = False
+role_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False
+{% endif -%}
+{% endif -%}