Adds user_description_attribute mapping support to the LDAP backend
The LDAP backend supports mapping between LDAP and keystone user attributes via the 'user_<attribute_name>_attribute' settings in the LDAP driver configuration. The current implementation is incomplete, since there is no support for specifying a 'user_description_attribute' setting for user get (read) operations. This change adds support to the LDAP backend for mapping of user description attributes via a 'user_description_attribute' configuration also during user retrieval. Change-Id: I30b63306beae3379aa8c29d0df3f327369d3f2a6 Closes-Bug: #1542417
This commit is contained in:
parent
652cf8d2ec
commit
448778a511
|
@ -1739,14 +1739,15 @@ specified classes in the LDAP module so you can configure them like:
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[ldap]
|
[ldap]
|
||||||
user_objectclass = person
|
user_objectclass = person
|
||||||
user_id_attribute = cn
|
user_id_attribute = cn
|
||||||
user_name_attribute = cn
|
user_name_attribute = cn
|
||||||
user_mail_attribute = mail
|
user_description_attribute = displayName
|
||||||
user_enabled_attribute = userAccountControl
|
user_mail_attribute = mail
|
||||||
user_enabled_mask = 2
|
user_enabled_attribute = userAccountControl
|
||||||
user_enabled_default = 512
|
user_enabled_mask = 2
|
||||||
user_attribute_ignore = tenant_id,tenants
|
user_enabled_default = 512
|
||||||
|
user_attribute_ignore = tenant_id,tenants
|
||||||
|
|
||||||
Debugging LDAP
|
Debugging LDAP
|
||||||
--------------
|
--------------
|
||||||
|
|
|
@ -601,6 +601,8 @@ FILE_OPTIONS = {
|
||||||
'WARNING: must not be a multivalued attribute.'),
|
'WARNING: must not be a multivalued attribute.'),
|
||||||
cfg.StrOpt('user_name_attribute', default='sn',
|
cfg.StrOpt('user_name_attribute', default='sn',
|
||||||
help='LDAP attribute mapped to user name.'),
|
help='LDAP attribute mapped to user name.'),
|
||||||
|
cfg.StrOpt('user_description_attribute', default='description',
|
||||||
|
help='LDAP attribute mapped to user description.'),
|
||||||
cfg.StrOpt('user_mail_attribute', default='mail',
|
cfg.StrOpt('user_mail_attribute', default='mail',
|
||||||
help='LDAP attribute mapped to user email.'),
|
help='LDAP attribute mapped to user email.'),
|
||||||
cfg.StrOpt('user_pass_attribute', default='userPassword',
|
cfg.StrOpt('user_pass_attribute', default='userPassword',
|
||||||
|
|
|
@ -224,6 +224,7 @@ class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
|
||||||
attribute_options_names = {'password': 'pass',
|
attribute_options_names = {'password': 'pass',
|
||||||
'email': 'mail',
|
'email': 'mail',
|
||||||
'name': 'name',
|
'name': 'name',
|
||||||
|
'description': 'description',
|
||||||
'enabled': 'enabled',
|
'enabled': 'enabled',
|
||||||
'default_project_id': 'default_project_id'}
|
'default_project_id': 'default_project_id'}
|
||||||
immutable_attrs = ['id']
|
immutable_attrs = ['id']
|
||||||
|
|
|
@ -1100,8 +1100,9 @@ class DomainConfigManager(manager.Manager):
|
||||||
'alias_dereferencing', 'debug_level', 'chase_referrals',
|
'alias_dereferencing', 'debug_level', 'chase_referrals',
|
||||||
'user_tree_dn', 'user_filter', 'user_objectclass',
|
'user_tree_dn', 'user_filter', 'user_objectclass',
|
||||||
'user_id_attribute', 'user_name_attribute', 'user_mail_attribute',
|
'user_id_attribute', 'user_name_attribute', 'user_mail_attribute',
|
||||||
'user_pass_attribute', 'user_enabled_attribute',
|
'user_description_attribute', 'user_pass_attribute',
|
||||||
'user_enabled_invert', 'user_enabled_mask', 'user_enabled_default',
|
'user_enabled_attribute', 'user_enabled_invert',
|
||||||
|
'user_enabled_mask', 'user_enabled_default',
|
||||||
'user_attribute_ignore', 'user_default_project_id_attribute',
|
'user_attribute_ignore', 'user_default_project_id_attribute',
|
||||||
'user_allow_create', 'user_allow_update', 'user_allow_delete',
|
'user_allow_create', 'user_allow_update', 'user_allow_delete',
|
||||||
'user_enabled_emulation', 'user_enabled_emulation_dn',
|
'user_enabled_emulation', 'user_enabled_emulation_dn',
|
||||||
|
|
|
@ -1371,6 +1371,21 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
|
||||||
dn, attrs = self.identity_api.driver.user._ldap_get(user['id'])
|
dn, attrs = self.identity_api.driver.user._ldap_get(user['id'])
|
||||||
self.assertThat([user['name']], matchers.Equals(attrs['description']))
|
self.assertThat([user['name']], matchers.Equals(attrs['description']))
|
||||||
|
|
||||||
|
def test_user_description_attribute_mapping(self):
|
||||||
|
self.config_fixture.config(
|
||||||
|
group='ldap',
|
||||||
|
user_description_attribute='displayName')
|
||||||
|
self.load_backends()
|
||||||
|
|
||||||
|
user = self.new_user_ref(domain_id=CONF.identity.default_domain_id,
|
||||||
|
displayName=uuid.uuid4().hex)
|
||||||
|
description = user['displayName']
|
||||||
|
user = self.identity_api.create_user(user)
|
||||||
|
res = self.identity_api.driver.user.get_all()
|
||||||
|
|
||||||
|
new_user = [u for u in res if u['id'] == user['id']][0]
|
||||||
|
self.assertThat(new_user['description'], matchers.Equals(description))
|
||||||
|
|
||||||
def test_user_extra_attribute_mapping_description_is_returned(self):
|
def test_user_extra_attribute_mapping_description_is_returned(self):
|
||||||
# Given a mapping like description:description, the description is
|
# Given a mapping like description:description, the description is
|
||||||
# returned.
|
# returned.
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- >
|
||||||
|
[`bug 1542417 <https://bugs.launchpad.net/keystone/+bug/1542417>`_]
|
||||||
|
Added support for a "user_description_attribute" mapping
|
||||||
|
to the LDAP driver configuration.
|
||||||
|
upgrade:
|
||||||
|
- >
|
||||||
|
The LDAP driver now also maps the user "description" attribute after
|
||||||
|
user retrieval from LDAP.
|
||||||
|
If this is undesired behavior for your setup, please add "description"
|
||||||
|
to the "user_attribute_ignore" LDAP driver config setting.
|
||||||
|
|
||||||
|
The default mapping of the description attribute is set to "description".
|
||||||
|
Please adjust the LDAP driver config setting "user_description_attribute"
|
||||||
|
if your LDAP uses a different attribute name (for instance to "displayName"
|
||||||
|
in case of an AD backed LDAP).
|
||||||
|
|
||||||
|
If your "user_additional_attribute_mapping" setting contains
|
||||||
|
"description:description" you can remove this mapping, since this is
|
||||||
|
now default behavior of the driver.
|
Loading…
Reference in New Issue