make LDAP attributes configurable

Change-Id: I91b9da4cf0305e6b30e82e260533d48843332cf1
2013-09-17 10:58:06 +02:00
parent b881af2609
commit 3311cbd0bd
4 changed files with 254 additions and 9 deletions
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -92,6 +92,80 @@ default["openstack"]["identity"]["identity"]["backend"] = "sql"
 default["openstack"]["identity"]["token"]["backend"] = "sql"
 default["openstack"]["identity"]["catalog"]["backend"] = "sql"

+# LDAP backend general settings
+default["openstack"]["identity"]["ldap"]["url"] = "ldap://localhost"
+default["openstack"]["identity"]["ldap"]["user"] = "dc=Manager,dc=example,dc=com"
+default["openstack"]["identity"]["ldap"]["password"] = nil
+default["openstack"]["identity"]["ldap"]["suffix"] = "cn=example,cn=com"
+default["openstack"]["identity"]["ldap"]["use_dumb_member"] = false
+default["openstack"]["identity"]["ldap"]["allow_subtree_delete"] = false
+default["openstack"]["identity"]["ldap"]["dumb_member"] = "cn=dumb,dc=example,dc=com"
+default["openstack"]["identity"]["ldap"]["page_size"] = 0
+default["openstack"]["identity"]["ldap"]["alias_dereferencing"] = "default"
+default["openstack"]["identity"]["ldap"]["query_scope"] = "one"
+
+# LDAP backend user related settings
+default["openstack"]["identity"]["ldap"]["user_tree_dn"] = nil
+default["openstack"]["identity"]["ldap"]["user_filter"] = nil
+default["openstack"]["identity"]["ldap"]["user_objectclass"] = "inetOrgPerson"
+default["openstack"]["identity"]["ldap"]["user_id_attribute"] = "cn"
+default["openstack"]["identity"]["ldap"]["user_name_attribute"] = "sn"
+default["openstack"]["identity"]["ldap"]["user_mail_attribute"] = "email"
+default["openstack"]["identity"]["ldap"]["user_pass_attribute"] = "userPassword"
+default["openstack"]["identity"]["ldap"]["user_enabled_attribute"] = "enabled"
+default["openstack"]["identity"]["ldap"]["user_domain_id_attribute"] = "businessCategory"
+default["openstack"]["identity"]["ldap"]["user_enabled_mask"] = 0
+default["openstack"]["identity"]["ldap"]["user_enabled_default"] = "true"
+default["openstack"]["identity"]["ldap"]["user_attribute_ignore"] = "tenant_id,tenants"
+default["openstack"]["identity"]["ldap"]["user_allow_create"] = true
+default["openstack"]["identity"]["ldap"]["user_allow_update"] = true
+default["openstack"]["identity"]["ldap"]["user_allow_delete"] = true
+default["openstack"]["identity"]["ldap"]["user_enabled_emulation"] = false
+default["openstack"]["identity"]["ldap"]["user_enabled_emulation_dn"] = nil
+
+# LDAP backend tenant related settings
+default["openstack"]["identity"]["ldap"]["tenant_tree_dn"] = nil
+default["openstack"]["identity"]["ldap"]["tenant_filter"] = nil
+default["openstack"]["identity"]["ldap"]["tenant_objectclass"] = "groupOfNames"
+default["openstack"]["identity"]["ldap"]["tenant_id_attribute"] = "cn"
+default["openstack"]["identity"]["ldap"]["tenant_member_attribute"] = "member"
+default["openstack"]["identity"]["ldap"]["tenant_name_attribute"] = "ou"
+default["openstack"]["identity"]["ldap"]["tenant_desc_attribute"] = "description"
+default["openstack"]["identity"]["ldap"]["tenant_enabled_attribute"] = "enabled"
+default["openstack"]["identity"]["ldap"]["tenant_domain_id_attribute"] = "businessCategory"
+default["openstack"]["identity"]["ldap"]["tenant_attribute_ignore"] = nil
+default["openstack"]["identity"]["ldap"]["tenant_allow_create"] = true
+default["openstack"]["identity"]["ldap"]["tenant_allow_update"] = true
+default["openstack"]["identity"]["ldap"]["tenant_allow_delete"] = true
+default["openstack"]["identity"]["ldap"]["tenant_enabled_emulation"] = false
+default["openstack"]["identity"]["ldap"]["tenant_enabled_emulation_dn"] = nil
+
+# LDAP backend role related settings
+default["openstack"]["identity"]["ldap"]["role_tree_dn"] = nil
+default["openstack"]["identity"]["ldap"]["role_filter"] = nil
+default["openstack"]["identity"]["ldap"]["role_objectclass"] = "organizationalRole"
+default["openstack"]["identity"]["ldap"]["role_id_attribute"] = "cn"
+default["openstack"]["identity"]["ldap"]["role_name_attribute"] = "ou"
+default["openstack"]["identity"]["ldap"]["role_member_attribute"] = "roleOccupant"
+default["openstack"]["identity"]["ldap"]["role_attribute_ignore"] = nil
+default["openstack"]["identity"]["ldap"]["role_allow_create"] = true
+default["openstack"]["identity"]["ldap"]["role_allow_update"] = true
+default["openstack"]["identity"]["ldap"]["role_allow_delete"] = true
+
+# LDAP backend group related settings
+default["openstack"]["identity"]["ldap"]["group_tree_dn"] = nil
+default["openstack"]["identity"]["ldap"]["group_filter"] = nil
+default["openstack"]["identity"]["ldap"]["group_objectclass"] = "groupOfNames"
+default["openstack"]["identity"]["ldap"]["group_id_attribute"] = "cn"
+default["openstack"]["identity"]["ldap"]["group_name_attribute"] = "ou"
+default["openstack"]["identity"]["ldap"]["group_member_attribute"] = "member"
+default["openstack"]["identity"]["ldap"]["group_desc_attribute"] = "description"
+default["openstack"]["identity"]["ldap"]["group_domain_id_attribute"] = "businessCategory"
+default["openstack"]["identity"]["ldap"]["group_attribute_ignore"] = nil
+default["openstack"]["identity"]["ldap"]["group_allow_create"] = true
+default["openstack"]["identity"]["ldap"]["group_allow_update"] = true
+default["openstack"]["identity"]["ldap"]["group_allow_delete"] = true
+
 # platform defaults
 case platform
 when "fedora", "redhat", "centos" # :pragma-foodcritic: ~FC024 - won't fix this
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -4,6 +4,7 @@
 #
 # Copyright 2012, Rackspace US, Inc.
 # Copyright 2012-2013, Opscode, Inc.
+# Copyright 2013 SUSE LINUX Products GmbH.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -146,7 +147,8 @@ template "/etc/keystone/keystone.conf" do
    "memcache_servers" => memcache_servers,
    "uris" => uris,
    "public_endpoint" => public_endpoint,
-    "admin_endpoint" => admin_endpoint
+    "admin_endpoint" => admin_endpoint,
+    "ldap" => node["openstack"]["identity"]["ldap"]
  )

  notifies :restart, "service[keystone]", :immediately
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@@ -190,6 +190,58 @@ describe "openstack-identity::server" do
      it "notifies keystone restart" do
        expect(@template).to notify "service[keystone]", :restart
      end
+
+      describe "optional LDAP attributes" do
+        optional_attrs = ["group_tree_dn", "group_filter",
+          "user_filter", "user_tree_dn", "user_enabled_emulation_dn",
+          "group_attribute_ignore", "role_attribute_ignore",
+          "role_tree_dn", "role_filter", "tenant_tree_dn",
+          "tenant_enabled_emulation_dn", "tenant_filter",
+          "tenant_attribute_ignore"]
+
+        optional_attrs.each do |setting|
+          it "does not have the optional #{setting} LDAP attribute" do
+            expect(@chef_run).not_to(
+              create_file_with_content(
+                @template.name, /^#{Regexp.quote(setting)} =/))
+          end
+
+          it "has the optional #{setting} LDAP attribute commented out" do
+            expect(@chef_run).to(
+              create_file_with_content(
+                @template.name, /^# #{Regexp.quote(setting)} =$/))
+          end
+        end
+      end
+
+      ["url", "user", "suffix", "use_dumb_member",
+        "allow_subtree_delete", "dumb_member", "page_size",
+        "alias_dereferencing", "query_scope", "user_objectclass",
+        "user_id_attribute", "user_name_attribute",
+        "user_mail_attribute", "user_pass_attribute",
+        "user_enabled_attribute", "user_domain_id_attribute",
+        "user_attribute_ignore", "user_enabled_mask",
+        "user_enabled_default", "user_allow_create",
+        "user_allow_update", "user_allow_delete",
+        "user_enabled_emulation", "tenant_objectclass",
+        "tenant_id_attribute", "tenant_member_attribute",
+        "tenant_name_attribute", "tenant_desc_attribute",
+        "tenant_enabled_attribute", "tenant_domain_id_attribute",
+        "tenant_allow_create", "tenant_allow_update",
+        "tenant_allow_delete", "tenant_enabled_emulation",
+        "role_objectclass", "role_id_attribute", "role_name_attribute",
+        "role_member_attribute", "role_allow_create",
+        "role_allow_update", "role_allow_delete", "group_objectclass",
+        "group_id_attribute", "group_name_attribute",
+        "group_member_attribute", "group_desc_attribute",
+        "group_domain_id_attribute", "group_allow_create",
+        "group_allow_update", "group_allow_delete",
+      ].each do |setting|
+        it "has a #{setting} LDAP attribute" do
+          expect(@chef_run).to create_file_with_content @template.name,
+          /^#{Regexp.quote(setting)} = \w+/
+        end
+      end
    end

    describe "default_catalog.templates" do
--- a/templates/default/keystone.conf.erb
+++ b/templates/default/keystone.conf.erb
@@ -29,14 +29,131 @@ max_pool_size = 10
 pool_timeout = 200

 [ldap]
-#url = ldap://localhost
-#tree_dn = dc=example,dc=com
-#user_tree_dn = ou=Users,dc=example,dc=com
-#role_tree_dn = ou=Roles,dc=example,dc=com
-#tenant_tree_dn = ou=Groups,dc=example,dc=com
-#user = dc=Manager,dc=example,dc=com
-#password = freeipa4all
-#suffix = cn=example,cn=com
+url = <%= @ldap["url"] %>
+user = <%= @ldap["user"] %>
+<% if @ldap["password"] -%>
+password = <%= @ldap["password"] %>
+<% else -%>
+# password = None
+<% end -%>
+suffix = <%= @ldap["suffix"] %>
+use_dumb_member = <%= @ldap["use_dumb_member"] %>
+allow_subtree_delete = <%= @ldap["allow_subtree_delete"] %>
+dumb_member = <%= @ldap["dumb_member"] %>
+page_size = <%= @ldap["page_size"] %>
+alias_dereferencing = <%= @ldap["alias_dereferencing"] %>
+query_scope = <%= @ldap["query_scope"] %>
+
+<% if @ldap["user_tree_dn"] -%>
+user_tree_dn = <%= @ldap["user_tree_dn"] %>
+<% else -%>
+# user_tree_dn =
+<% end -%>
+<% if @ldap["user_filter"] -%>
+user_filter = <%= @ldap["user_filter"] %>
+<% else -%>
+# user_filter =
+<% end -%>
+user_objectclass = <%= @ldap["user_objectclass"] %>
+user_id_attribute = <%= @ldap["user_id_attribute"] %>
+user_name_attribute = <%= @ldap["user_name_attribute"] %>
+user_mail_attribute = <%= @ldap["user_mail_attribute"] %>
+user_pass_attribute = <%= @ldap["user_pass_attribute"] %>
+user_enabled_attribute = <%= @ldap["user_enabled_attribute"] %>
+user_domain_id_attribute = <%= @ldap["user_domain_id_attribute"] %>
+user_enabled_mask = <%= @ldap["user_enabled_mask"] %>
+user_enabled_default = <%= @ldap["user_enabled_default"] %>
+user_attribute_ignore = <%= @ldap["user_attribute_ignore"] %>
+user_allow_create = <%= @ldap["user_allow_create"] %>
+user_allow_update = <%= @ldap["user_allow_update"] %>
+user_allow_delete = <%= @ldap["user_allow_delete"] %>
+user_enabled_emulation = <%= @ldap["user_enabled_emulation"] %>
+<% if @ldap["user_enabled_emulation_dn"] -%>
+user_enabled_emulation_dn = <%= @ldap["user_enabled_emulation_dn"] %>
+<% else -%>
+# user_enabled_emulation_dn =
+<% end -%>
+
+<% if @ldap["tenant_tree_dn"] -%>
+tenant_tree_dn = <%= @ldap["tenant_tree_dn"] %>
+<% else -%>
+# tenant_tree_dn =
+<% end -%>
+<% if @ldap["tenant_filter"] -%>
+tenant_filter = <%= @ldap["tenant_filter"] %>
+<% else -%>
+# tenant_filter =
+<% end -%>
+tenant_objectclass = <%= @ldap["tenant_objectclass"] %>
+tenant_id_attribute = <%= @ldap["tenant_id_attribute"] %>
+tenant_member_attribute = <%= @ldap["tenant_member_attribute"] %>
+tenant_name_attribute = <%= @ldap["tenant_name_attribute"] %>
+tenant_desc_attribute = <%= @ldap["tenant_desc_attribute"] %>
+tenant_enabled_attribute = <%= @ldap["tenant_enabled_attribute"] %>
+tenant_domain_id_attribute = <%= @ldap["tenant_domain_id_attribute"] %>
+<% if @ldap["tenant_attribute_ignore"] -%>
+tenant_attribute_ignore = <%= @ldap["tenant_attribute_ignore"] %>
+<% else -%>
+# tenant_attribute_ignore =
+<% end -%>
+tenant_allow_create = <%= @ldap["tenant_allow_create"] %>
+tenant_allow_update = <%= @ldap["tenant_allow_update"] %>
+tenant_allow_delete = <%= @ldap["tenant_allow_delete"] %>
+tenant_enabled_emulation = <%= @ldap["tenant_enabled_emulation"] %>
+<% if @ldap["tenant_enabled_emulation_dn"] -%>
+tenant_enabled_emulation_dn = <%= @ldap["tenant_enabled_emulation_dn"] %>
+<% else -%>
+# tenant_enabled_emulation_dn =
+<% end -%>
+
+<% if @ldap["role_tree_dn"] -%>
+role_tree_dn = <%= @ldap["role_tree_dn"] %>
+<% else -%>
+# role_tree_dn =
+<% end -%>
+<% if @ldap["role_filter"] -%>
+role_filter = <%= @ldap["role_filter"] %>
+<% else -%>
+# role_filter =
+<% end -%>
+role_objectclass = <%= @ldap["role_objectclass"] %>
+role_id_attribute = <%= @ldap["role_id_attribute"] %>
+role_name_attribute = <%= @ldap["role_name_attribute"] %>
+role_member_attribute = <%= @ldap["role_member_attribute"] %>
+<% if @ldap["role_attribute_ignore"] -%>
+role_attribute_ignore = <%= @ldap["role_attribute_ignore"] %>
+<% else -%>
+# role_attribute_ignore =
+<% end -%>
+role_allow_create = <%= @ldap["role_allow_create"] %>
+role_allow_update = <%= @ldap["role_allow_update"] %>
+role_allow_delete = <%= @ldap["role_allow_delete"] %>
+
+<% if @ldap["group_tree_dn"] -%>
+group_tree_dn = <%= @ldap["group_tree_dn"] %>
+<% else -%>
+# group_tree_dn =
+<% end -%>
+<% if @ldap["group_filter"] -%>
+group_filter = <%= @ldap["group_filter"] %>
+<% else -%>
+# group_filter =
+<% end -%>
+group_objectclass = <%= @ldap["group_objectclass"] %>
+group_id_attribute = <%= @ldap["group_id_attribute"] %>
+group_name_attribute = <%= @ldap["group_name_attribute"] %>
+group_member_attribute = <%= @ldap["group_member_attribute"] %>
+group_desc_attribute = <%= @ldap["group_desc_attribute"] %>
+group_domain_id_attribute = <%= @ldap["group_domain_id_attribute"] %>
+<% if @ldap["group_attribute_ignore"] -%>
+group_attribute_ignore = <%= @ldap["group_attribute_ignore"] %>
+<% else -%>
+# group_attribute_ignore =
+<% end -%>
+group_allow_create = <%= @ldap["group_allow_create"] %>
+group_allow_update = <%= @ldap["group_allow_update"] %>
+group_allow_delete = <%= @ldap["group_allow_delete"] %>
+

 [identity]
 driver = keystone.identity.backends.<%= node["openstack"]["identity"]["identity"]["backend"] %>.Identity