Browse Source

Adds user_description_attribute mapping support to the LDAP backend

The LDAP backend supports mapping between LDAP and keystone user
attributes via the 'user_<attribute_name>_attribute' settings in the
LDAP driver configuration.

The current implementation is incomplete, since there is no support for
specifying a 'user_description_attribute' setting for user get (read)
operations.

This change adds support to the LDAP backend for mapping of user
description attributes via a 'user_description_attribute' configuration
also during user retrieval.

Change-Id: I30b63306beae3379aa8c29d0df3f327369d3f2a6
Closes-Bug: #1542417
changes/73/276873/9
Rudolf Vriend 5 years ago
parent
commit
448778a511
6 changed files with 51 additions and 10 deletions
  1. +9
    -8
      doc/source/configuration.rst
  2. +2
    -0
      keystone/common/config.py
  3. +1
    -0
      keystone/identity/backends/ldap.py
  4. +3
    -2
      keystone/resource/core.py
  5. +15
    -0
      keystone/tests/unit/test_backend_ldap.py
  6. +21
    -0
      releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml

+ 9
- 8
doc/source/configuration.rst View File

@ -1739,14 +1739,15 @@ specified classes in the LDAP module so you can configure them like:
.. code-block:: ini
[ldap]
user_objectclass = person
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = tenant_id,tenants
user_objectclass = person
user_id_attribute = cn
user_name_attribute = cn
user_description_attribute = displayName
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = tenant_id,tenants
Debugging LDAP
--------------


+ 2
- 0
keystone/common/config.py View File

@ -601,6 +601,8 @@ FILE_OPTIONS = {
'WARNING: must not be a multivalued attribute.'),
cfg.StrOpt('user_name_attribute', default='sn',
help='LDAP attribute mapped to user name.'),
cfg.StrOpt('user_description_attribute', default='description',
help='LDAP attribute mapped to user description.'),
cfg.StrOpt('user_mail_attribute', default='mail',
help='LDAP attribute mapped to user email.'),
cfg.StrOpt('user_pass_attribute', default='userPassword',


+ 1
- 0
keystone/identity/backends/ldap.py View File

@ -224,6 +224,7 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
attribute_options_names = {'password': 'pass',
'email': 'mail',
'name': 'name',
'description': 'description',
'enabled': 'enabled',
'default_project_id': 'default_project_id'}
immutable_attrs = ['id']


+ 3
- 2
keystone/resource/core.py View File

@ -1100,8 +1100,9 @@ class DomainConfigManager(manager.Manager):
'alias_dereferencing', 'debug_level', 'chase_referrals',
'user_tree_dn', 'user_filter', 'user_objectclass',
'user_id_attribute', 'user_name_attribute', 'user_mail_attribute',
'user_pass_attribute', 'user_enabled_attribute',
'user_enabled_invert', 'user_enabled_mask', 'user_enabled_default',
'user_description_attribute', 'user_pass_attribute',
'user_enabled_attribute', 'user_enabled_invert',
'user_enabled_mask', 'user_enabled_default',
'user_attribute_ignore', 'user_default_project_id_attribute',
'user_allow_create', 'user_allow_update', 'user_allow_delete',
'user_enabled_emulation', 'user_enabled_emulation_dn',


+ 15
- 0
keystone/tests/unit/test_backend_ldap.py View File

@ -1371,6 +1371,21 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
dn, attrs = self.identity_api.driver.user._ldap_get(user['id'])
self.assertThat([user['name']], matchers.Equals(attrs['description']))
def test_user_description_attribute_mapping(self):
self.config_fixture.config(
group='ldap',
user_description_attribute='displayName')
self.load_backends()
user = self.new_user_ref(domain_id=CONF.identity.default_domain_id,
displayName=uuid.uuid4().hex)
description = user['displayName']
user = self.identity_api.create_user(user)
res = self.identity_api.driver.user.get_all()
new_user = [u for u in res if u['id'] == user['id']][0]
self.assertThat(new_user['description'], matchers.Equals(description))
def test_user_extra_attribute_mapping_description_is_returned(self):
# Given a mapping like description:description, the description is
# returned.


+ 21
- 0
releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml View File

@ -0,0 +1,21 @@
---
features:
- >
[`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_]
Added support for a "user_description_attribute" mapping
to the LDAP driver configuration.
upgrade:
- >
The LDAP driver now also maps the user "description" attribute after
user retrieval from LDAP.
If this is undesired behavior for your setup, please add "description"
to the "user_attribute_ignore" LDAP driver config setting.
The default mapping of the description attribute is set to "description".
Please adjust the LDAP driver config setting "user_description_attribute"
if your LDAP uses a different attribute name (for instance to "displayName"
in case of an AD backed LDAP).
If your "user_additional_attribute_mapping" setting contains
"description:description" you can remove this mapping, since this is
now default behavior of the driver.

Loading…
Cancel
Save