Adds user_description_attribute mapping support to the LDAP backend

The LDAP backend supports mapping between LDAP and keystone user attributes via the 'user_<attribute_name>_attribute' settings in the LDAP driver configuration. The current implementation is incomplete, since there is no support for specifying a 'user_description_attribute' setting for user get (read) operations. This change adds support to the LDAP backend for mapping of user description attributes via a 'user_description_attribute' configuration also during user retrieval. Change-Id: I30b63306beae3379aa8c29d0df3f327369d3f2a6 Closes-Bug: #1542417
2016-02-05 19:58:53 +01:00 · 2016-02-05 19:58:53 +01:00 · 448778a511
parent 652cf8d2ec
commit 448778a511
6 changed files with 51 additions and 10 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -1739,14 +1739,15 @@ specified classes in the LDAP module so you can configure them like:
 .. code-block:: ini

  [ldap]
-  user_objectclass          = person
-  user_id_attribute         = cn
-  user_name_attribute       = cn
-  user_mail_attribute       = mail
-  user_enabled_attribute    = userAccountControl
-  user_enabled_mask         = 2
-  user_enabled_default      = 512
-  user_attribute_ignore     = tenant_id,tenants
+  user_objectclass           = person
+  user_id_attribute          = cn
+  user_name_attribute        = cn
+  user_description_attribute = displayName
+  user_mail_attribute        = mail
+  user_enabled_attribute     = userAccountControl
+  user_enabled_mask          = 2
+  user_enabled_default       = 512
+  user_attribute_ignore      = tenant_id,tenants

 Debugging LDAP
 --------------
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -601,6 +601,8 @@ FILE_OPTIONS = {
                        'WARNING: must not be a multivalued attribute.'),
        cfg.StrOpt('user_name_attribute', default='sn',
                   help='LDAP attribute mapped to user name.'),
+        cfg.StrOpt('user_description_attribute', default='description',
+                   help='LDAP attribute mapped to user description.'),
        cfg.StrOpt('user_mail_attribute', default='mail',
                   help='LDAP attribute mapped to user email.'),
        cfg.StrOpt('user_pass_attribute', default='userPassword',
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@ -224,6 +224,7 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
    attribute_options_names = {'password': 'pass',
                               'email': 'mail',
                               'name': 'name',
+                               'description': 'description',
                               'enabled': 'enabled',
                               'default_project_id': 'default_project_id'}
    immutable_attrs = ['id']
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@ -1100,8 +1100,9 @@ class DomainConfigManager(manager.Manager):
            'alias_dereferencing', 'debug_level', 'chase_referrals',
            'user_tree_dn', 'user_filter', 'user_objectclass',
            'user_id_attribute', 'user_name_attribute', 'user_mail_attribute',
-            'user_pass_attribute', 'user_enabled_attribute',
-            'user_enabled_invert', 'user_enabled_mask', 'user_enabled_default',
+            'user_description_attribute', 'user_pass_attribute',
+            'user_enabled_attribute', 'user_enabled_invert',
+            'user_enabled_mask', 'user_enabled_default',
            'user_attribute_ignore', 'user_default_project_id_attribute',
            'user_allow_create', 'user_allow_update', 'user_allow_delete',
            'user_enabled_emulation', 'user_enabled_emulation_dn',
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@ -1371,6 +1371,21 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
        dn, attrs = self.identity_api.driver.user._ldap_get(user['id'])
        self.assertThat([user['name']], matchers.Equals(attrs['description']))

+    def test_user_description_attribute_mapping(self):
+        self.config_fixture.config(
+            group='ldap',
+            user_description_attribute='displayName')
+        self.load_backends()
+
+        user = self.new_user_ref(domain_id=CONF.identity.default_domain_id,
+                                 displayName=uuid.uuid4().hex)
+        description = user['displayName']
+        user = self.identity_api.create_user(user)
+        res = self.identity_api.driver.user.get_all()
+
+        new_user = [u for u in res if u['id'] == user['id']][0]
+        self.assertThat(new_user['description'], matchers.Equals(description))
+
    def test_user_extra_attribute_mapping_description_is_returned(self):
        # Given a mapping like description:description, the description is
        # returned.
--- a/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml
+++ b/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml
@ -0,0 +1,21 @@
+---
+features:
+  - >
+    [`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_]
+    Added support for a "user_description_attribute" mapping
+    to the LDAP driver configuration.
+upgrade:
+  - >
+    The LDAP driver now also maps the user "description" attribute after
+    user retrieval from LDAP.
+    If this is undesired behavior for your setup, please add "description"
+    to the "user_attribute_ignore" LDAP driver config setting.
+
+    The default mapping of the description attribute is set to "description".
+    Please adjust the LDAP driver config setting "user_description_attribute"
+    if your LDAP uses a different attribute name (for instance to "displayName"
+    in case of an AD backed LDAP).
+
+    If your "user_additional_attribute_mapping" setting contains
+    "description:description" you can remove this mapping, since this is
+    now default behavior of the driver.