Allow overloading of username and tenant name in the config files.

Includes documentation and sample config file values. Bug 997700 Patchset adds DocImpact flag for notifying doc team about these new config file values. Change-Id: Ibd3fade3f233a3b89a1c2feaa0a6b5a9569ad86c
2012-07-26 15:30:39 -04:00 · 2012-07-26 15:30:39 -04:00 · 4f3dcb6c9b
commit 4f3dcb6c9b
parent be073f09d7
4 changed files with 20 additions and 1 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -805,3 +805,16 @@ The corresponding entries in the Keystone configuration file are::
  suffix = dc=openstack,dc=org
  user = dc=Manager,dc=openstack,dc=org
  password = badpassword
+
+The default object classes and attributes are intentionally simplistic.  They
+reflect the common standard objects according to the LDAP RFCs.  However,
+in a live deployment,  the correct attributes can be overridden to support a
+preexisting, more complex schema.  For example,  in the user object,  the
+objectClass posixAccount from RFC2307 is very common.  If this is the
+underlying objectclass, then the *uid* field should probably be *uidNumber* and
+*username* field either *uid* or *cn*.  To change these two fields,  the
+corresponding entries in the Keystone configuration file are::
+
+  [ldap]
+  user_id_attribute = uidNumber
+  user_name_attribute = cn
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@ -109,11 +109,13 @@
 # user_tree_dn = ou=Users,dc=example,dc=com
 # user_objectclass = inetOrgPerson
 # user_id_attribute = cn
+# user_name_attribute = sn

 # tenant_tree_dn = ou=Groups,dc=example,dc=com
 # tenant_objectclass = groupOfNames
 # tenant_id_attribute = cn
 # tenant_member_attribute = member
+# tenant_name_attribute = ou

 # role_tree_dn = ou=Roles,dc=example,dc=com
 # role_objectclass = organizationalRole
--- a/keystone/config.py
+++ b/keystone/config.py
@ -162,6 +162,8 @@ register_str('user', group='ldap', default='dc=Manager,dc=example,dc=com')
 register_str('password', group='ldap', default='freeipa4all')
 register_str('suffix', group='ldap', default='cn=example,cn=com')
 register_bool('use_dumb_member', group='ldap', default=False)
+register_str('user_name_attribute', group='ldap', default='sn')
+

 register_str('user_tree_dn', group='ldap', default=None)
 register_str('user_objectclass', group='ldap', default='inetOrgPerson')
@ -171,7 +173,7 @@ register_str('tenant_tree_dn', group='ldap', default=None)
 register_str('tenant_objectclass', group='ldap', default='groupOfNames')
 register_str('tenant_id_attribute', group='ldap', default='cn')
 register_str('tenant_member_attribute', group='ldap', default='member')
-
+register_str('tenant_name_attribute', group='ldap', default='ou')

 register_str('role_tree_dn', group='ldap', default=None)
 register_str('role_objectclass', group='ldap', default='organizationalRole')
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@ -337,6 +337,7 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):

    def __init__(self, conf):
        super(UserApi, self).__init__(conf)
+        self.attribute_mapping['name'] = conf.ldap.user_name_attribute
        self.api = ApiShim(conf)

    def get(self, id, filter=None):
@ -462,6 +463,7 @@ class TenantApi(common_ldap.BaseLdap, ApiShimMixin):
    def __init__(self, conf):
        super(TenantApi, self).__init__(conf)
        self.api = ApiShim(conf)
+        self.attribute_mapping['name'] = conf.ldap.tenant_name_attribute
        self.member_attribute = (getattr(conf.ldap, 'tenant_member_attribute')
                                 or self.DEFAULT_MEMBER_ATTRIBUTE)