From 448778a51126a79676e9f9ffcc9eaf4c06288a73 Mon Sep 17 00:00:00 2001 From: Rudolf Vriend Date: Fri, 5 Feb 2016 19:58:53 +0100 Subject: [PATCH] Adds user_description_attribute mapping support to the LDAP backend The LDAP backend supports mapping between LDAP and keystone user attributes via the 'user__attribute' settings in the LDAP driver configuration. The current implementation is incomplete, since there is no support for specifying a 'user_description_attribute' setting for user get (read) operations. This change adds support to the LDAP backend for mapping of user description attributes via a 'user_description_attribute' configuration also during user retrieval. Change-Id: I30b63306beae3379aa8c29d0df3f327369d3f2a6 Closes-Bug: #1542417 --- doc/source/configuration.rst | 17 ++++++++------- keystone/common/config.py | 2 ++ keystone/identity/backends/ldap.py | 1 + keystone/resource/core.py | 5 +++-- keystone/tests/unit/test_backend_ldap.py | 15 +++++++++++++ .../notes/bug-1542417-d630b7886bb0b369.yaml | 21 +++++++++++++++++++ 6 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 6e57748354..68a92d46d8 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -1739,14 +1739,15 @@ specified classes in the LDAP module so you can configure them like: .. code-block:: ini [ldap] - user_objectclass = person - user_id_attribute = cn - user_name_attribute = cn - user_mail_attribute = mail - user_enabled_attribute = userAccountControl - user_enabled_mask = 2 - user_enabled_default = 512 - user_attribute_ignore = tenant_id,tenants + user_objectclass = person + user_id_attribute = cn + user_name_attribute = cn + user_description_attribute = displayName + user_mail_attribute = mail + user_enabled_attribute = userAccountControl + user_enabled_mask = 2 + user_enabled_default = 512 + user_attribute_ignore = tenant_id,tenants Debugging LDAP -------------- diff --git a/keystone/common/config.py b/keystone/common/config.py index ebf8ee305b..ffb3c94a1d 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -601,6 +601,8 @@ FILE_OPTIONS = { 'WARNING: must not be a multivalued attribute.'), cfg.StrOpt('user_name_attribute', default='sn', help='LDAP attribute mapped to user name.'), + cfg.StrOpt('user_description_attribute', default='description', + help='LDAP attribute mapped to user description.'), cfg.StrOpt('user_mail_attribute', default='mail', help='LDAP attribute mapped to user email.'), cfg.StrOpt('user_pass_attribute', default='userPassword', diff --git a/keystone/identity/backends/ldap.py b/keystone/identity/backends/ldap.py index 55e4e34eb5..fe2c56d72f 100644 --- a/keystone/identity/backends/ldap.py +++ b/keystone/identity/backends/ldap.py @@ -224,6 +224,7 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap): attribute_options_names = {'password': 'pass', 'email': 'mail', 'name': 'name', + 'description': 'description', 'enabled': 'enabled', 'default_project_id': 'default_project_id'} immutable_attrs = ['id'] diff --git a/keystone/resource/core.py b/keystone/resource/core.py index 7c69afd20b..bba68b6220 100644 --- a/keystone/resource/core.py +++ b/keystone/resource/core.py @@ -1100,8 +1100,9 @@ class DomainConfigManager(manager.Manager): 'alias_dereferencing', 'debug_level', 'chase_referrals', 'user_tree_dn', 'user_filter', 'user_objectclass', 'user_id_attribute', 'user_name_attribute', 'user_mail_attribute', - 'user_pass_attribute', 'user_enabled_attribute', - 'user_enabled_invert', 'user_enabled_mask', 'user_enabled_default', + 'user_description_attribute', 'user_pass_attribute', + 'user_enabled_attribute', 'user_enabled_invert', + 'user_enabled_mask', 'user_enabled_default', 'user_attribute_ignore', 'user_default_project_id_attribute', 'user_allow_create', 'user_allow_update', 'user_allow_delete', 'user_enabled_emulation', 'user_enabled_emulation_dn', diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index 36ccecf40b..574965ff9a 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -1371,6 +1371,21 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase): dn, attrs = self.identity_api.driver.user._ldap_get(user['id']) self.assertThat([user['name']], matchers.Equals(attrs['description'])) + def test_user_description_attribute_mapping(self): + self.config_fixture.config( + group='ldap', + user_description_attribute='displayName') + self.load_backends() + + user = self.new_user_ref(domain_id=CONF.identity.default_domain_id, + displayName=uuid.uuid4().hex) + description = user['displayName'] + user = self.identity_api.create_user(user) + res = self.identity_api.driver.user.get_all() + + new_user = [u for u in res if u['id'] == user['id']][0] + self.assertThat(new_user['description'], matchers.Equals(description)) + def test_user_extra_attribute_mapping_description_is_returned(self): # Given a mapping like description:description, the description is # returned. diff --git a/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml b/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml new file mode 100644 index 0000000000..e6a6f5f84f --- /dev/null +++ b/releasenotes/notes/bug-1542417-d630b7886bb0b369.yaml @@ -0,0 +1,21 @@ +--- +features: + - > + [`bug 1542417 `_] + Added support for a "user_description_attribute" mapping + to the LDAP driver configuration. +upgrade: + - > + The LDAP driver now also maps the user "description" attribute after + user retrieval from LDAP. + If this is undesired behavior for your setup, please add "description" + to the "user_attribute_ignore" LDAP driver config setting. + + The default mapping of the description attribute is set to "description". + Please adjust the LDAP driver config setting "user_description_attribute" + if your LDAP uses a different attribute name (for instance to "displayName" + in case of an AD backed LDAP). + + If your "user_additional_attribute_mapping" setting contains + "description:description" you can remove this mapping, since this is + now default behavior of the driver.